23542300x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:54.707{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E836D5C6E25DC5FD8BD0B96ADCC1FFB,SHA256=BCE236ECD65035554374C91C8B04A1BDAB5ECF17FAA481E8E87AC592F0ADEBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:54.744{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD5E3FC010EC5B142FB24C7940A8E9E,SHA256=FECD2321BC02BE1E1883B387450AAC7217D2ECE4C601376016F4E76BB1E4A5A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:51.295{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50942-false10.0.1.12-8089- 354300x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:51.263{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50941-false10.0.1.12-8000- 23542300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:55.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E48D015D7C3D53751B240969DC1C2BB,SHA256=92EBB851AAE5F7FF4922B4C6B0D36D7672D522C5B01D982B7F218214DC0BACFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:55.765{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01699AE0FE4401B4D14A8A6BD0002763,SHA256=C53CF5C2185E1104D957DF6C30D235F56FB95BD806B2D6D3BFCD728409A11841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:56.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B4B0B4452B46F3AE07232491A7CA9E,SHA256=C4882EF2F9DB103CDCC4B1F7BDFEC6A0E7898C7AD99D2C198EC538EBAD76271A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:56.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED103C5CEC3F9EF491980F40879E1B29,SHA256=008032EA1BF19BEF6E0DF54C247A206F2A45515B767978A28DD04A3E0D088A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:57.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA0835C9415605015145C88C7D9D660,SHA256=A38A0CA583BD18E4B880D5F6701E88F3AFC14730CD8E23BD7CCB2B5E48317A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:57.801{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E3C41455339419EE62B93F513915D3,SHA256=569D0A02D9AB89CC059225DCA26392B881979E69139BB88E42791A3BCF2A0A85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:55.844{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:58.781{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED7DA02C8E4C21BEBA9A51BDD342F7,SHA256=9E1DCAAA8E09A2CC7D2E27A08BC1E117B69725594D9C4F4EF41193CF9BBCEC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:58.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04C49F365AAEA67F5A4772A5059FC6E,SHA256=DE59B4CC76BE5D1E1B69BDD85552381F334FA6ADAC658E6D2FC5BEC64ADB021B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:59.863{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5608BF86C9A20686062D49BF196CEB2,SHA256=7C70965AF0F85ECA1D384910F6A60A19BADE0D874850CAB66698C673B408266F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:59.811{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34E2FFE766C4A14C11F7E6166310BB,SHA256=FC733129281D7E42E1EBE730B1BF08C1049EDB6AC7ACBD7D86C138D2204694E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:00.941{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E652170EA98A4AA19EA10C22280B66,SHA256=6AFDB985EC4F741C8323DEC625288AF39E2358704B68FB5D52863968A95B5E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:00.811{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51075C22017DDC50A44019728D521996,SHA256=5089E1D7E4147B018CE9594A0063B2F992A3CD82EE3BD338F94030F90DDF6223,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:57.169{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50943-false10.0.1.12-8000- 23542300x800000000000000058765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:01.812{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC020119E5DF8B212CABBAF2E2A07E68,SHA256=C0BE8B68E233E3C99934CA883ADFBDF61D7728AF8E39926B1653B4A0D5F6BDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:01.972{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042A71D5F3B2C5CDAD0204BAD2AC59D7,SHA256=00E0852992FCF257D90B9BCBA7DF7BD478ECEEF43A04FA8DAA338369918A7043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:02.843{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55B780A244319E243709B8FC248E6F6,SHA256=5632A10D122C991876F0D35E5634075081BA9EFB4AB1AB8F4D9A71EF3D823073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.987{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1A2A996110862725837CF8EC0B9077,SHA256=1EF0A5FF76261DCD79861147E456D9B5E426575C4EED9EDD7A6495952E3D7336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.836{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-100MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:03.880{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B940178238C452324E787CBB90619E8,SHA256=6C97D2F0ACEE199611D37BD65ECE234E164FAE3C777E20BBB94AEBAA417E0330,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:00.975{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:03.847{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:04.910{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6474342207E37B9B738FCAFBF9F26E,SHA256=320AA72ED7B1540F2BB5F9266EB2B21B9D08DBD3CF684540A7D6C756CAB8499C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:04.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5446DE4ED5A80B8BEC95D1A5865F84D9,SHA256=26E9967BD80DB8F4638BB6E94BF118304CF88F54F4617B50B16B915E7B2BA1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:05.978{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C490B8E43D3647D603B9B43B73153C,SHA256=A8D037E6C72848F33CE9507BA1D3092F2E4C43064BB09EA12ED29B7AAAD5901E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50944-false10.0.1.12-8000- 23542300x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:05.066{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5615047AA7C0CCD20C4DE24434762740,SHA256=D6D0018E56F39B4B0019A642BCA20CBCCBD463CFD1B5218E05364626112A1482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:06.984{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A852B4143637BD1F8A3C93782C1C9B1,SHA256=C875A0B9603A5A8EDF62FAC6DC1747FD1E5A822DCC12F6BF05A785AE5AD1E727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:06.128{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2E7B1AD226822348A507796F755A5,SHA256=AE1E762D3419DDCA398A9C7209B565F6AC6B24AC84DC625B3550DCD2E01E4CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:07.144{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4827C3EAE9CE5FAB7CFF5BEAE29343C0,SHA256=705150B97A65716AA66974D53394E9224345392D60703611C9F977EF3EEAB03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:08.175{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5BFB4E82A8FD214EC906A4A97770F8,SHA256=BB42421093C054847CCC5112B7F3A87B032676C9F423192001E4546FBFCA60E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:06.932{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.014{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D08476D75118C2495DADFB52A3F5B4,SHA256=6D57A198C9FFA3392E7819DBCA87E48D5EDDD8794F564A5A6E840EBD8E61D022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:09.191{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C121ED3FCBCC7D123AF3617BD217FDCF,SHA256=78CF1F2B35829F832D3CA9905DDF31CD932A653002CDB6DE708A71C6AA3B2F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:09.014{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52400B1156045B6BEF6EA8E4EF7E2B51,SHA256=BC4F93937A287BA578083BED4EA53C8CE8D34E5696D5BBD848577BDDA35B1387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:10.284{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DF618C47A8050904E4B376A86A960C,SHA256=F1D928439ABCE2B87923AE7D22223940A2534324DF8772730D927D2F4C0259E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.883{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR51532- 354300x800000000000000058776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.881{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR56748- 23542300x800000000000000058775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:10.030{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530B5113A195FC7E4BBF50D568EB3F34,SHA256=6C57732F3980F8A87EC61D538B87591AB26C83105C09AAE7134CA229570F9A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:08.231{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50945-false10.0.1.12-8000- 23542300x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:11.316{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441F68805DB0CB2027CAE8057E49859,SHA256=290A6FB9DDB42B0EF5BC39CE115A1D97867BD848C2BA2F343652E5C94CF6F0CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.083{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.044{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1830BAB508CAE3CF221D5658AD03FA4,SHA256=0F227E1BBC3D7073FAC7ADE072281CF41AE5DECEA42359D619BA3E4D360FE880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:12.363{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586D9893DEC158792C7871F546358E89,SHA256=9DFF5C64023562884FADA3D12B204E05B283ABDA4BE0BAE884D83AF9BFCC496E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.244{67EB100B-6A74-61E9-C503-000000002202}50644184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD182C91A808BF4626CC91F369D8035C,SHA256=7D6A672A0255F12D7AC4F8BADDD321087FA5AF321C7B6B0A95963B0C90D17593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2004FE2E9E7633C41242CE783545B964,SHA256=8B12E23A75CDBA0B681434CEF171EF2953B054F16D7F6858D2385231D2920CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.066{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C549A0CC10B7D60246F76187BBFE48A9,SHA256=189FCDD3065E742A8A05126F8C11B4C1C2738E2ED4BF67252BF47B7A26B608E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:13.394{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8F226F09F4BA8EF2A586D5A8EC1708,SHA256=556D7CEBB7139ED062B9F139D85D12E0DCA7FF14B87B1922948496B0EC700F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5230-61E9-0500-000000002202}416544C:\Windows\system32\csrss.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.183{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.145{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C34ABD497F937B456D3F3EE8EA5338,SHA256=572B60A4D3BC52638CAA8EDDD7A417B9069AE25E8D84A1A97F96BE0D3A282843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:14.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794E9E55D9EB71B66E750AB3F8517A2B,SHA256=06D749B2B69DF7A47393CDF0473154341DACBC99DA2DC7C7797D4EED313CAEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.921{67EB100B-6A76-61E9-C803-000000002202}46405900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000058827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.831{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.738{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.487{67EB100B-6A76-61E9-C703-000000002202}67401524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD182C91A808BF4626CC91F369D8035C,SHA256=7D6A672A0255F12D7AC4F8BADDD321087FA5AF321C7B6B0A95963B0C90D17593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.230{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.167{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2A4A02A0353446B422BCE46903E485,SHA256=B7F392144AFABD68815AF2B90CAAAEE501A90F67F86EB8697EBDD125A4E39B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:15.456{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6747FD1217A53C672D3D50DEFDA06B4A,SHA256=07FF19F8263DE7933F167039EC2F6611B318D8C952045B7D570E2F46BF496D9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.354{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62369-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000058840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.354{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62369-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 10341000x800000000000000058839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.600{67EB100B-6A77-61E9-C903-000000002202}69886484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.403{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.236{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA3458ED2EA5D627C04A1486CEE9069,SHA256=1EC74725F6F06FFDAC241A84E6105487E12CF2D551B87ED716C709B8E4EA20DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.168{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564876CC1C648B74A0B3E324C5F93E5D,SHA256=D67B014CD0B6DB5419316B7B33149309B1AD30CD12620AFC57FE8984F9234E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:16.456{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556EC12E3765D2CFBDB143AF545CC4FC,SHA256=8AA2295DA70F55E69CBA02C88049C2A04A125DD0E2AA6CD3B7319CBE68F634FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:16.420{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88F1AEFA477822CC04AF4B4F2E82C971,SHA256=A437042778432B0695F99297B825B00478A5D71D70026AAF129C5C39539C578A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:16.183{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A758D8469A31F6305270EB65AC178524,SHA256=1E3CF6B39B7431F403FDBAED597E8E48CABD0C5DDAE7FFEE97C4F7C251FC22C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:13.326{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50946-false10.0.1.12-8000- 23542300x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:17.472{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76C78E55DF48B0AF06D327B2B16A111,SHA256=C2D93CFEEB7DDF473BE8DE2908DDAE1E9611E92B7A522818744571852001B763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:17.201{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD0F6F903BC6FBFCE3029F0A75A4DC5,SHA256=CAE5C8B5FA2E01E4729C85BAB1D476EC42AD983A4D29EE7B45E0005EE94F8793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:18.488{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7957EC018E5586596B1A0C10990837,SHA256=98C75809FE8E22E48619F904CAAACF3FCC46050472CE784028AC017225009A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.382{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.219{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAB26322A2431E076103BC84E84F46,SHA256=567A1FA5024FA9A97DD9A0F0D5F39245FE3C6491596D1C192A0A0FCD17588F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:19.503{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2776AA792CE13EED63EA8B0D81ECE5,SHA256=A8216C33DCA10B86FA9A1AF00AC287CA1C909EC4C63D255A32BCF07ADD19560B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:19.389{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2127BDB00EA00B0D41FDEA49FEB2331B,SHA256=98130A4003BFAD84E99E3B77EA031B7726DA2795133C429C46F54017DD27B4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:19.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E98ABB75E01CB7D002678A442BF9C40,SHA256=B5DDE27B1E5FDCD540542AF1AADF79C10B8CCCDAC76ACE1AE8F2DA59ECA0F7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:20.519{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A78ADD77CEBC511F2E525921BC6709,SHA256=53271014749BB8CD764E5EDFD78E88D58BE2CCC3EF03E13D3BCD5F40A4EB4F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:20.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD3C9D746C7BFFAA6F75B0F05CE94D3,SHA256=8F1D196E4133920BC496DA670184702D04563C297C72940B22457ED45ADEBBE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:17.867{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:21.534{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823F0DCA83B92344849BFF5D0944824D,SHA256=6C1EE9B056F94B3547D25D6BD2DA144520CF0EF6FC3A4F4B686352BAB2A94090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:21.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7F39F6BCFB099284ED592C758634F0,SHA256=718EFF290AB117904DC67286087DC834CB904348347FE594B6A6EAB4CB71BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:22.550{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F64F8C8F324304FB77FA0F4BDA13FEF,SHA256=7CAC1710C04DB58A3467CCCED75B5C72AC3FE14B59F16A6AC264348B07442885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:22.256{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBD06E3232474DCBEBC9CD6F9880DE0,SHA256=0C41DC6E0C928A354644F090C00F6C3414A31D4D9A15516D7AA0033961A2F663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:19.184{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50947-false10.0.1.12-8000- 23542300x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:23.566{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4393C232879DC5F3726CA4C06A1752,SHA256=A378BE88CBF246BF3FB556EB2BFBCA91BC42A56E3F5B4E3852DFAEA01E4501D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:23.286{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9F6F3BF88BD2219F853D5D1F0FD5D4,SHA256=0B1ACE2AD62C633DDB2F0294BC3C7581F20BFED213AD0616DA7C0B184BD8D9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:24.581{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCDD068CB8D68E17D74AAD6F4EC1924,SHA256=268C3B9E6C1CA1694D3F862AAB3EE84FA6A99C70E2874E7A2B03BF44DA713A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:24.304{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B402B248DDD05A89681AE0AD0EB182B,SHA256=2CA0DC078CF0F154843F7C65373E2605130C62F5596E8E0EF643A1920201BB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:25.323{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2758F2FE7790CFF883D915990C36CE6F,SHA256=14769657FF1333985762AAC658E1B9167D7D489380F09CCB22A7E047C52585A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:25.597{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DA78B9B11F4E28208BD31009E59BD,SHA256=04E57500A4459DD2A468077A27ACCDFE1568961507B9D7FE0FAD00DE8FE47AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:22.919{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:26.613{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294EB083EBA6F0377CD8570EE84297C9,SHA256=DDFE43B77ED66EB359ADBCB39D4AF606A4AF29D816B72E6E3761745A5EBE99D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:26.338{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138179BBAE9AD5A8667D4809D01A490B,SHA256=9B9A4D59DA868287B60367CD34CC61399CF0296E689D31571F64463BEA7F907D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:27.628{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDAB11AB75B4B1334FA865D77861DC4,SHA256=8009638B901FEAF3D0AE5F2365FB4D778AA44C4F87E703D26581E094379A6AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:27.628{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BCD2854CEEA5DB373A2B7224ABB7C68C,SHA256=47D5D815EB988E8B32D39FE4612FF907B1F46CEEB9ADB7B96A01488389800BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.338{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0113E4736CB79C04620E3852AAAA76E4,SHA256=956C827FE2900424127551ECFB442BE9FC15CDBD338AAFE27126B9F88BCAEDA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:25.215{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50948-false10.0.1.12-8000- 23542300x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:28.644{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FD4DE43522DF75C104DA75BC11B73,SHA256=43F972B928608E2E4B3183BB71EA4B36627A6FDC74DB3088F1F4FCAE041A7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:28.484{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F9619523054A282AA426124C7A8C71,SHA256=24F043D1549E4EAA2E6FE6DDF5872BE1095BBEE9FDC65605FF7AA72A7A9721F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:29.501{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4824A7BB61764ED365A58443D5242,SHA256=EB015C6B5DA24142D680C0AF978A4EE393DE1F21FDDCA86079857A0250C01FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:29.659{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E0E2EB34D6F3DA8DC88E5352E075F5,SHA256=244B5BBC5A57EE847B4315B96BC9359A84D5C84BA459A4D563BF75FCAA3AF6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:30.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB23B63D10EB8AE2255C815E90900B,SHA256=FFA814AEAF99D5D14B54312BD28794108A24B29BD0F469D491D82D2CEE82A4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:30.536{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A2CF1C1C6BF4092F7168C8ABF897B2,SHA256=7C60295ED1BFC17A557AADC44ED13D5D2FC71674D56A2AF9586DD05519B43504,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.970{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:31.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FB8154DAFEF7313CFDD6EDF7A823C1,SHA256=1F85E2ED743285B2E0155B9B4EC22D396C9CB1CCA665616DF11F7CE3D49B7031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.923{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\pending_pings\66a954ec-9e5c-459f-b9ca-a1b5abe43569MD5=A0CA5DD1B671A8BBABDC80F30CAA8A9B,SHA256=2FF3DEFB2C15855D62F247976E84061BC0924AA664D30845094AE203E3FB046C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.706{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\aborted-session-pingMD5=EEE13BC4741D75FD6AEA67B931886F77,SHA256=B2C88F1CD3965D0238B82F079D9397E5B862B2FD513CEC23C165FBF5FBC70EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=E10909D94CD06CF3E58F684BF663B53C,SHA256=7D12C1090429A8DDB3D12D31C106F05CD1C81FB2F6E54B65293EFA095D361F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=B7E90553934A708EEB809AAF04A0721A,SHA256=CBE0EF3EE4E4A3C11FA02A2A82748E6A1D0E8BB7DC67D9805AE574D574589469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=2B83B9A16D8C5F2CA9EE14E9F5995AA3,SHA256=BD355B374325168C86D4522599C6B5AD3E64A21415E436E61111C57047E3EC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=C21E3717ADEEE7DEC88DD0E1FCDFEFC0,SHA256=42E1437000F22BC6AD0C4793D192BAD2D70E087BE864C82C1A0B2B97196E6BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=94E2B4AF10773AC98E03ED94C612CB6C,SHA256=C31F801031FEDE75272162B53AC17EC272D25A7F0141133905AA48BE714E89E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.568{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F6E12578036C8F48B807E8DFF95FDB,SHA256=55B9E5B475E81F4587649455B580303F48335B4B4650C06CA0DECF3D0E0E9CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:32.691{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F069072F1EDCB57E1BDD210847DAC0,SHA256=F4E21DD0E74226B6320BBD957D6823848C29382A4AB9DD1AA49DB6DF7F439BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:32.584{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BCB6991AF0B19FA3F5CC1BE8C04235,SHA256=AC16803EF18D66A45FE7DA0B298E840457385C67EDE2541381CEF6CAFD5BC22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:33.706{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBCC4F572B475BDD51A7BAE15B0B887,SHA256=B166DE6B515DF58368AD3AC29ED237B79FDBDF8FFCCC74D0D2FDC05BC7E4FD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:33.603{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39557D2BA72B40295929308EEEE4777,SHA256=5E07D0D4CCE6068B80D4B8BB96423D7824F4345014FD1EA999A2871CA6615388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:31.122{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50949-false10.0.1.12-8000- 354300x800000000000000058909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.432{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62373-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000058908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.430{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local50725- 354300x800000000000000058907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.426{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53161- 23542300x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:34.722{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE5D9C62B46D09C67F4B64497826FA7,SHA256=D17373F38824BCC55270A769C0CBD9164E6647B0CC27FC7DD217C4ED8696C159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.620{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3023E48F6BBE1C336F8D78601F3D81EE,SHA256=BF4290C01CE96620283FADFDD67912986BF35C21A6A1C4942E43ECBEAC3C803B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:35.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB125E537EE48C8F4BF30E2E752DB64,SHA256=275A8173FA5C0BF4E18BAD7BFED2DE0C4930CDC5F7D9B11E6C3A3A57192B5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:35.620{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9476676A5234FA93F2E47678CE5E55FF,SHA256=D481B5D6229C7312A527698021C510DE23BB9ACE3936C0011C3044E1BB216137,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:33.769{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:36.753{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F4CF7B89D6A964849B0EFC4CB6D79,SHA256=A9C4AB15992B0F504C1071EE78CB0FDFA89371014E81A3D7F05730012738D1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:36.621{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F684E8DB2AB7E382AE5842C2AE4FF,SHA256=A472451EFE1BAC90A21101482A28BA46A2039B1F9D47C410CECEE333FD086160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:36.155{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-100MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:37.652{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3415C05168E9123D48BF01276D392909,SHA256=AE0468B0F4E52088F270A0E68A9678AA7286CB59921808F77EDA5A7A86448C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:37.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F326DF3B358F5AB8E87891F776BA0C,SHA256=6497530C3D776EF59E64514405C1ED96086D8AD17E1A0C24432F0D7818E75094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:37.153{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:38.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89428BB20E562590BA7FBDEC864A41,SHA256=C3B720CB32C9FB2AF9B076D9C551678A888B58889CD9D4D24EA9C7A295DAE9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:38.666{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E4D179B96796593D05CCC72492D273,SHA256=DF32AA97188199A57A77980E214949222409DC9E05E14525BA50C60C23F7A9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:36.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50950-false10.0.1.12-8000- 23542300x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:39.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A3CD13273FF605AA768877A01A214,SHA256=7E649EEA57C2E97CF7E15BC63AB6B0564165F969BF2FD188237C6BE8A01E5236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:39.681{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAF52439B94675480160F166E28679B,SHA256=BDE9548F0976B2414AB658A47BC44515FD0B2FA38B284A0ECB6089A67739AE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.800{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D717978C237897C1A5EB3C5FC7766B7F,SHA256=735707AAB2067A1099D0A3A36C42F030D1D4A0893D12C47C9F956200CAE92B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:40.681{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B807C8699D8DBA4F050C1CAE13F2D,SHA256=0BAA58E512D92D8DDFF3AFDD7C70000ED17DA0624844880DC8BF1857E52E85E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:38.815{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:41.699{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FFAD65DA4E463498FBF4E90C4F78F1,SHA256=CBC603896D02C9ACFB17DBCB90C86541296D59353AE504B1398FFA3F62E22784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4782544570FE3DAD83AEF567350D66BC,SHA256=B1FF78F7086A37712EFBD4E02092A79403BC9317068AEB0BBF64E3A71543E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8123F2680799AAE43579086DF33B8A7F,SHA256=B4F5BF2C80EADF590D05C517CE36EDC839FD37BF7D6D62B94456B0A166E4BD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A0126B604BA99285C6A71A3AC391E3,SHA256=E7990D7522E76EF6CE92764F4805B33AA27504FC729E63EE18A78033FBEF9C62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.597{8EF30467-6A91-61E9-4F03-000000002202}3228748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.410{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:42.719{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77297DA7480E54145951CB4068D5FE96,SHA256=6AB30E14CB2B105E9769F3E4D21B68ECB70594A1D917FC6AAF3904D292FC871D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.848{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1ACB12EDC4EB6DD9A67DFAAD62D23A,SHA256=8420152C70A5E5BC0A5512611BF47764B0C9F4813B2E68BFCFBFE8E5F63F2B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.082{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:43.831{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22EC7F2961405A618B4D69BBF723E05,SHA256=FED7342E36A82550AC8BF6E84D11BFE25A507CEAEA6D8EC8466CE32A155C9E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.765{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E50B639241E1CE7BCB82069FF42D471,SHA256=25B7C0BA8585C8B73BABF58482F0BB61B9542681B5EC32E66561DA30901AE2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.765{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BC66B377C225DBFD7E4144228F92A6A7,SHA256=09FE865BD83FE85B29E6BEEA687691AE155AC9D337FE2FC1EB820B154D7D6600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:43.222{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8123F2680799AAE43579086DF33B8A7F,SHA256=B4F5BF2C80EADF590D05C517CE36EDC839FD37BF7D6D62B94456B0A166E4BD49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.988{8EF30467-6A92-61E9-5103-000000002202}9323708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:44.980{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=0B6CE15C1C43BFD6156C5F9D8620A6D0,SHA256=70B383AEFECD01A33BCA3141F61D34C9967F3A5B24ECB469F2F97B183E3FD77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:44.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4B75C10453FB909E1BD87B2E1B88A6,SHA256=A4FEC8D000B622E0C367F6329FE3E5FF6BAEE6AA104886DFB2A5817BD164FA39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.800{8EF30467-6A94-61E9-5303-000000002202}16562412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.121{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50951-false10.0.1.12-8000- 10341000x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.598{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.316{8EF30467-6A94-61E9-5203-000000002202}1316984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.098{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:45.798{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82EF1AD4B73A564DBFC45943B602460,SHA256=92098C294C65FAE4F7DAEBBB433866806A73705BC689FF690538D9870E5B95E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:45.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606FC18761E157F010C5A7C127C80BD8,SHA256=325C20947A9AAE4D474E7CD37F8A0190BC433F18085C7B7EC5DCD08BAB6DF43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:45.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5326E399A10E36920D14DD5A994E64D,SHA256=4330AD85571B463CE9413A8E14CA109A13560960CFB0144302C7D139790045B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.951{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:46.817{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1921FD57F3714EE41B13BC2E80AF60D0,SHA256=34E951A71758179056F708C75ACE24635392D8C4BF4C43824D8CD3E4E9FE4AEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6780EA351101ECB1F1ADC078999A5,SHA256=292BE95E175CBBDC804B0EB53954A06DAD63EE02027DB86AFE8B7F2DC03B60B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:47.832{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FC8155C5AE0E553A06CA6C8AC33837,SHA256=5C309528ACF70C7EFB3522BD8DBFC8EA6B943884A86DE3D393682AF686B8AAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:47.972{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F36E13F6E81E366887EC776F253A3089,SHA256=EE32F578D03D9DA77024E08B025863EA680824011FD9A295224E259F78F86774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:47.254{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BEDE2A1B4035C82B370B29FC9D46C8,SHA256=15B9A802914F18A1A1E2F6CFC46F2058197CDA94896D1923DC7A78E10A597F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.863{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6775C31FD3FCAC086C85C849E69F7786,SHA256=9D60820BB92C556856F8D92F5F1BF699F9F65CB5667273E0C17731E26234D0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:48.347{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131ADA4A8B22185169125774B7262EC,SHA256=EBA72C0AF4B926884FE62796562B12230EE8026EF9E20B970A105C0805B7A156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.316{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:49.899{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B06C4CD841BA5605EF962DF5BBDA834,SHA256=A0E9DC71FF6D58595A78942112A3ACF29BEC285A21E8CADC37438A2D48C0A629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:49.394{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329388592872BC692812F63A1F73EC9,SHA256=996963ADE0E83D9C5DD089192C61FBF0AA59D245D8A1AF3BCD7A51CD362546D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.028{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000058943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:50.930{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA2D5A6E1C7C368AB743A248894C0FC,SHA256=2A5419745295C5D730C6EC6173048BC36660F6C7E87A4ABE565CFB7ED4C77BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:50.409{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D023C764F3D3478236FE88AE0416D02,SHA256=61E4390002059450819938D744C5323E852C6DB2BA7BEB88FCEF3CFE566BD450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:51.931{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D742A646D5D9F6326094F9B44E3EB0,SHA256=15198D3065613D809735EB883D4F089C7D5C8F0BC45016F8B8E1C7296A274ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:51.425{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C60D475200CD93FAA7F6CF0B7CF2B7,SHA256=B1542BF774BA38B716C0CB4D06B14B094D13E13A067FBB87A916B2A733DC9B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:49.779{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:48.169{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50952-false10.0.1.12-8000- 23542300x800000000000000058946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:52.932{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA5FE585070D0AE9263565A0E46BD85,SHA256=FA55339FB1C19F46755B60E40F727D53571BAE95843CCB8EA72B2258B0DED93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:52.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1207BECF58974068861D70FF7175B,SHA256=F8A649CABE72BDE81B70A056FE0709B0E2F058BA86817B5EEE78FE13DF4A0B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:52.253{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:53.963{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B96D767AAAD73865B197C2DD3408E4,SHA256=C1EAF79823CB4F71F3EC8C9FE8A72DA404699D2889D8CE6F0DD39267E2A7F101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:53.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04240ED31AC51A4C34D4E6ACE3A436B2,SHA256=B9F028BD73BB69B4E82F103CB168389E18952FB07351FB4A3470A9A1B0DF0A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:54.964{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD3E5467B80E50AD49FABFE85C3D722,SHA256=34959F9FD6F61FBC1C344A51B5A5C4E4B03126CD0919ED3AD2F316B19CDD85C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:54.534{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CF9C152A05D876898BAF7CE7E06853,SHA256=40F7A4A39DEFBBF10983493303755C90AEA09E0EE3BC3D0CCC90D45F89B95259,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:51.309{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50953-false10.0.1.12-8089- 23542300x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:55.597{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAF34553478478B77CBD3900AAC5F35,SHA256=38F6E847BAC33DCE179952AA3A6F5E4F8B0B16D78DCE98957173B5FA393EE034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:56.628{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635BD32392D64615CD2B47AAFBED806C,SHA256=BF76476EEE2FD71B86DD9CFA1DC252A81742E12519249947DBF28D52D3EB97ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:54.814{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:56.018{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098E708319F983E31612845CA442939A,SHA256=EE39B0CE570644071DDD50F69D35637BB5F6157CA99D5365D123B13D52FFC366,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:53.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50954-false10.0.1.12-8000- 23542300x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:57.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B089F4ABA9F1CA001EF1BFFBB6B1F85,SHA256=9FF6C512CCC824551181DBC9DEDC3B183C024D8A6D29C1A73F19CA5AACE430A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:57.879{67EB100B-5232-61E9-1400-000000002202}10641184C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:57.033{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC791C3C5EA0D81E43A6B1B74D814784,SHA256=45C77B93BA6445FC7FCB67CA4B597927621C91D3055D3A24F59F611FC7D0F83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:58.706{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3399809668E2289FEB80ECE5CE469F9,SHA256=1A15E7B00C01F2062968499E50135032BBE69A339522404EFF09BC203E8783C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:58.048{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911E04D00CCB4828DD0E994FA6297A90,SHA256=6EC8C713A2CB39A47938ABEC2F29ACE64A7F60A3860D17E196A98F6CA78117BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:59.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B875398DEF724FBD8E8EFA689E5077B0,SHA256=1F0C2F2088F878E0A9DF6E6947F1B8FDF6EE28626854EFEFDBF9DA964E7A9EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.933{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.897{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.896{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.834{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.795{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5286-61E9-7A00-000000002202}12643200C:\Windows\system32\csrss.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5289-61E9-8900-000000002202}45244724C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80267|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+17c29c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284513|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c540|C:\Windows\System32\SHELL32.dll+1799be|C:\Windows\System32\SHELL32.dll+736d1|C:\Windows\System32\SHELL32.dll+765b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000058955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.728{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap2422:50:7zEvent10910C:\Windows\system32\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.079{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1578E274C5E5AD352E67E7AA13E4C8FB,SHA256=452861579AD0EC96C6C9C8C4630813A5FB9717D6BC174552C899EB3A2363E6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:00.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5D6A45B803D35EDDD2A6FC4011,SHA256=5D829FC92EC59B2433515447866BD0503CE9AD17A495BA884BEA0D24B6A24DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.718{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C19BDDF1DE28F1A5BA05EAA98D1BFC9,SHA256=1D593F9083B515A6A6BE2E9479291EC17A3F1488B29463FD2193B463C69ACCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.718{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EAB7F9C97238B996A99B875B7C6DA53,SHA256=F710B5BC1D846A69C6DDF865CC968826756BB027F3FECB92B562C58EF0E1D426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.534{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8B00C83BC0EB38EDB2D07C73C31B30,SHA256=C928F5F464435F204062C24739BC2387FA494A5F6AF96140B8EEE90062D35A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:01.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4CF631E6DECCC70CD31C637688B24,SHA256=34ADC1B1815238796D8E0E960CD6627478355546836BE163887238F8006DC6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.851{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:01.549{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9A225CE3674F70AFCC1EC611AF6A53,SHA256=9F1FA8E8B1A8BB73764A3DEED57D786EA2A21848E5852D1CDD9E0BED5E168D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:58.309{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50955-false10.0.1.12-8000- 11241100x800000000000000058992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.localEXE2022-01-20 13:59:02.583{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exeC:\Temp\AdvancedRun.exe2022-01-20 13:59:02.583 11241100x800000000000000058991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.583{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exeC:\Temp\Nmddfrqqrbyjeygggda.vbs2022-01-20 13:59:02.583 23542300x800000000000000058990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.552{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A5C52F947B97ABD38673CD61D062E2,SHA256=5A065363152C2057E1127F1F33461CC004283F5BD2EF5C8992B73C645E3C7A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:02.831{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DA82F8A8F5124132774E25EC33F6C,SHA256=A6FB90177280C887007B0E12FCBBDAA34940D33F12985A71DAD52ECB744F6815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:03.847{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:03.582{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A475F98F291BA0EAC66A624FDCEBD2,SHA256=E04872A41E316BB3026711988D17C4AA58AA127F2A53FF2A6A4E56DD6A306EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.877{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E7C1BD9E1ED8504051204291E4243,SHA256=D9A039002A80A9C763589E6DE966294691275A3B72DF6F1A94D24F818BFD547C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:04.600{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE3F371EB1095BEDC8EAD2087878D68,SHA256=56EED37E6D62A637FFB605AD8B5C33978E71ADC6A7BC29E4271EE2944E515320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.366{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-101MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:05.891{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE2B0E2644F3BC5E739AA5AED4F7BE7,SHA256=7F2CEDC4FB08E999A49E8D9EEAFAD2B65F449ED996F09002E15D25FFD2595C3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.949{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-01-20 12:21:05.008 23542300x800000000000000059007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.949{67EB100B-5289-61E9-8900-000000002202}4524ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=EEE00754C9392DEB11727F8F86B36E3C,SHA256=AEEDBFF9564A83F060F7D04DD9F85DA5F2F133824013C8383B967E6F0F88D93A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.918{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Nmddfrqqrbyjeygggda.vbs.lnk2022-01-20 13:59:05.918 10341000x800000000000000059005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5289-61E9-8900-000000002202}45242072C:\Windows\Explorer.EXE{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.847{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.618{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41864F2FC0B9BF0FCB4CFA61D5992C9,SHA256=388F6CD5CD0DFC49A3E402166C62E261D9A40A63D94F89202943267EC4990C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:05.394{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.962{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E1AFFAAEA8A6E86CABAC953CE3DC60A,SHA256=61787D8EAC9D933CF6E5318BFEE6AE9CB083551E1992A102277B49433D486BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.960{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AB54A74B6C9D35F0E76F7800A5ADFF,SHA256=6046B04FBBCBF1D8BF332E1B2901E89CAD04B6D089FBD5554991787CAE2906AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.960{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C19BDDF1DE28F1A5BA05EAA98D1BFC9,SHA256=1D593F9083B515A6A6BE2E9479291EC17A3F1488B29463FD2193B463C69ACCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:06.892{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACB0DAD94AA008F2C3B5666F6947756,SHA256=D7120D3F5C7CED907669D0C7AE7C7E6E06566ADFDE771BD3A3CC24CBC61CDD67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.324{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50956-false10.0.1.12-8000- 10341000x800000000000000059022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.329{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-6AAA-61E9-CE03-000000002202}64445932C:\Windows\system32\conhost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.133{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-6AA9-61E9-CC03-000000002202}18123516C:\Windows\System32\WScript.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb4e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.119{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\'C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" 10341000x800000000000000059010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.102{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.102{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:07.923{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332B163034C7C6DE7353CEF56EB9F3D5,SHA256=67C8E8086EE52BE2914AF537993F477D4E49F9ECA0BFEB37AC0E2F3488E2A450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.606{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.606{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.553{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.553{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000059031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 13:59:07.385{67EB100B-6AAA-61E9-CD03-000000002202}4960\PSHost.132871607461199642.4960.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000059030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.367{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ys0i2cgs.vud.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.366{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4wmqcbvn.ekx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.221{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4wmqcbvn.ekx.ps12022-01-20 13:59:07.221 10341000x800000000000000059027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.199{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.192{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:08.939{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1DB1D10C2DD1CBDBE12B0BF1FA49DB,SHA256=68A2AB0C986FF50A7A6872465B88A0FDCB84B31A9246560C0E51531E42708E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5289-61E9-8900-000000002202}45246700C:\Windows\Explorer.EXE{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.976{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000059041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.814{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.428{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.212{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=819F6A5163C7D89816EFB8D66FBAA0A6,SHA256=43B9E041D6111AC07F8716AD75ADF30F2C6716C5E6A03909EF9D1D2FA4F5DA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.062{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E166280007DF3483DE33499D4478BF9,SHA256=5C06419BF2A2B5B0A45159A3C6362D0889F21C103CD49E358733CE837F4498FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.043{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6D048F8D36EC0B07BD88441FB0DD74A,SHA256=517549FBC9E891D956A22C0D50F340ECA0C1470774FC2D6AEEF4D60F0B669ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.043{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD77F3A499E003FD76DB77302BD696F,SHA256=3ECB833E93671C22F59A3D4243A5C013492FC261EA5BBE781B6A9AF6DDD71F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:09.970{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74664B6EF777AC7AB410E6247D3D2F5F,SHA256=8CBE12DF3D105DD6A6163838E533C2B721090AF6FF48A02890DB851C1D16F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D482C6B1C58D336EB2AB802D4EE6C581,SHA256=49B7B79321EEF830859F697EFF699B9471BBB1FC4A236ECEA6BACB70FB68EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.994{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E1AFFAAEA8A6E86CABAC953CE3DC60A,SHA256=61787D8EAC9D933CF6E5318BFEE6AE9CB083551E1992A102277B49433D486BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.491{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.491{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.427{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.427{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000059073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 13:59:09.374{67EB100B-6AAD-61E9-D003-000000002202}1920\PSHost.132871607492006182.1920.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000059072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.358{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yurzwqro.l0y.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.358{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0esiqs3u.suz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.327{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0esiqs3u.suz.ps12022-01-20 13:59:09.327 10341000x800000000000000059069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.311{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.311{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.290{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.258{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEE7AF458C205525FEC759E8FD16D31F,SHA256=C1B56D180ABD84501EFE1AD2DB0C697A6E37A2D52A4597CFB2E53659EB99A396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-6AAD-61E9-D103-000000002202}51045804C:\Windows\system32\conhost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-6AAC-61E9-CF03-000000002202}25046104C:\Windows\System32\WScript.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb4e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.200{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\'C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" 10341000x800000000000000059054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.074{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA766548CCD3CDCD12AB3DB4CE1CD4F,SHA256=5A6CDBDAFC522D3A4690938ED353FD6CB1F9594763D4E5C3DBD4586102137A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.350{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ED9CCBD7DDF1D4D8B957A535776FCC3,SHA256=DE6B8506871556941D5CD0AEDC31080B533AE38A6354EB58C3D4CD1C08A94F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.284{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.268{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4C04AD5FDB108EB2EC1A6EE9252799A,SHA256=532D9FB52027A7B71D80DA211A6C2937F66B35A8B8736799B4CB2A2185088F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.200{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A65B63B464345F39B7F567DEEC470D2,SHA256=76A3C830347CF4642B06549955D4F6EEC5E1959C6C31B9C0F41E8B73AE84455F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.022{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BAE6EEC46088269A2C2271F7FB60036D,SHA256=C8FEEE934C85DC7885A355B1F977146FDA8E1194C4BA62F43B9B674A4321A470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.085{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.201{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA7D38CBDA2ED339F4A5138BB23D7D9,SHA256=9ADAB985B5D6AFBF96EA38BF2FBD9003605D8CF6C571F04B26CD764D291D706E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:11.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C42E9A25EEA25FBE254B931F2856F0,SHA256=2DD771D2B011941873F7E654E95A966DE3DACFE2E869E79D0FC9AF9766735CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.864{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.482{67EB100B-6AAF-61E9-D303-000000002202}17325404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.267{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A30B133D7025269EC716FA30DEDA19,SHA256=066D49C3B1D82A39C234CA965F8A4B77C82D75FF7C3D69C1DA429B4F7FE190CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:10.119{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50957-false10.0.1.12-8000- 23542300x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:12.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DFB1F76E1FF7D7DC0DF1D95142F29B,SHA256=872C1651AE043935D265F5014C6B9BF7827C0A81E88BB84A57F6F19964B8200A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.145{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.949{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.093{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619C5EF591B65F0E17589518E740B13A,SHA256=A7535548E320615A9733BDFF09C4FF136090D121BEDDB94CBF4782BED4EDE43A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.200{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.268{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B178D97226C78A2A5629D8F0CF90CD76,SHA256=AFDB269C8D36C833A2FDF903CC78080D176D9F7DE3C0EC754FDAD9CEEFEE4CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:13.048{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB77D640851FA65BDFE7F91272D6FC7,SHA256=09FA5E4200DB56CCA012C78DADC46A9146DA5BFF9C946BDF25772E68299E7531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.468{67EB100B-6AB2-61E9-D503-000000002202}46404476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.299{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.283{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201C513BC24F10C998AEA2F7962437E2,SHA256=604006FCDB1F00663203DAB8304B268E25D8F33EB19F471DB1308F15C73E5939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:14.110{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6798E154B10DA0DFFC881D0B31869C,SHA256=0F043017F0C943A0C7431FD46FE017AA3885BA93C3C076A911D81F400407CC3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.084{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.214{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3968D5164841F97116BF82D7D1C4F179,SHA256=18FFBB1F2A393528507C7564B92892D6A60135BAA66CD36BDC91D621F1CB9395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:15.126{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E7DFFDB6E8D1A902AE04545327FD5,SHA256=98B3A2B277A2C8012EF35CA499EE4C096A4EAE89391B221DD09C64005C15F0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.984{67EB100B-6AB3-61E9-D703-000000002202}67206708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.363{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.363{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 10341000x800000000000000059145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.816{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.637{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CAC9F459E206CDA8B5103FDAC527E2,SHA256=0FB4035378DA619AAF1E69D95393D5E659060B82AF5AD862FD42452F1A77416D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.410{67EB100B-6AB2-61E9-D603-000000002202}58445524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.295{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7585769806C8DD8B1855F7200E1E7502,SHA256=6F8290F9B39BE094530E752342963202303B0C67B588A97F542EE1F71F115AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.124{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.121{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.119{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.947{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.836{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFA2A607ED631B97426DF37D57B7486,SHA256=FB1A718D5EE410B3CFB64D0E5C071B6DB3ED00FF94E1D8523D1890F278A12B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.384{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.368{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A787D55F7FE909F5CCC07FFDDDE682E,SHA256=687782E385B70BC2F45F859FD12CC278E57BAA35FA8C2124F9A2C2E0EB2AC9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:16.157{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6069B15418412C4DB3702FC4F3BD8D5B,SHA256=CBE88EF301555E07EC3F8BF08211C772589032C3255EDE7EFC888A7AEA578E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:17.368{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871C16216C4CE1761C75B9E0A35E7E79,SHA256=178E85E1C59FC6955E326DF3C9F3A2FA6ED1A51C167A9A1CB1E5146E76D19F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:15.244{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50958-false10.0.1.12-8000- 23542300x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:17.173{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E9452E2AE868B83DE68205F8463F94,SHA256=8DAF323E2B621EF77AD01AFE1D316E27A6B17EE27BE3FBA4F863ABF992664E0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.638{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.400{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.383{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AB2C0C15228E340039E0491911465C,SHA256=095D417D7516C49313B78E3B3E216D012F9F418F3E049A91DEEAD54C76FCD47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:18.220{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5118BC4F698803201AC1A1F9CC6931,SHA256=6F89E4838B1A173F83D68FD7DC6CD171D2AF6F63F16E67E8F2AFAF62529ACE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.902{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:19.410{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FD99FD952BBB9FF9334BCA85641A9A,SHA256=EB4D3D514E694E29403B1333B8E033FF87E1D71324696440DC661F19F5A79477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:19.410{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48ACF31198B8F0195F92AC8A42C7A2CF,SHA256=52A24207AEA648D8C3F95F14FF7C0C7DC9C2B8924444CFC45F9107B3627AB092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:19.235{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D49286E20B2E969E3C1EA44982390C1,SHA256=879506B80AF0932E2379182F7853A2FF3DCDA1993545AE21BC9415AA4E111017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.832{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001E8080F2B6A9B81E0A1F88E3E05A50,SHA256=F74E922C91D5CCC73D8E44A120BA86D2A677B3CB1361FF3A0E3067DF48DF9DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.785{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.780{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:20.251{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44B36F3A605930CCB54A26F96C33299,SHA256=F76D22DB60168CB3345B58D1E3EBDF5324F19E1FDAEC5D04677209F9480FFE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.780{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000059239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D5C27D8C165397E1B859E7AED6D392,SHA256=F5FCD8EF7EED50F9D3D6CD02FC16A8DA33938CEA8FEFF279A98EE69E7ED9A601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37087100C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082692C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37087100C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082692C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085988C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085988C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37086660C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37086660C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085884C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085884C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000059224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.748{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD922469C626E4CC025A1E83E8504F5,SHA256=2414AFC2DE3D4192C89A0C292F4D45441DC115DCE3364A9706CAA909BC1E4ECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37081684C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37084152C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085076C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37083048C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085616C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085168C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086836C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086856C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.410{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.410{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.394{67EB100B-5289-61E9-8900-000000002202}45246364C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.394{67EB100B-5289-61E9-8900-000000002202}45246364C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.358{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.358{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.341{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.309{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.309{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000059204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.309{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.309{67EB100B-5243-61E9-2B00-000000002202}3068672C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000059202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.309{67EB100B-5243-61E9-2B00-000000002202}3068672C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca 10341000x800000000000000059201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.294{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.294{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.275{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.275{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.274{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.274{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.274{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.274{67EB100B-5232-61E9-0D00-000000002202}9202520C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.274{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.273{67EB100B-5232-61E9-0D00-000000002202}9206540C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.272{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.272{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.272{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.272{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.272{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5289-61E9-8900-000000002202}45245584C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5289-61E9-8900-000000002202}45245584C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+37690|C:\Windows\System32\TwinUI.dll+37744|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+1094cd|C:\Windows\System32\TwinUI.dll+d234f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.256{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57d45|C:\Windows\System32\TwinUI.dll+376f8|C:\Windows\System32\TwinUI.dll+37731|C:\Windows\System32\TwinUI.dll+38acf|C:\Windows\System32\TwinUI.dll+374bd|C:\Windows\System32\TwinUI.dll+36ef1|C:\Windows\System32\TwinUI.dll+1094cd|C:\Windows\System32\TwinUI.dll+d234f|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.958{67EB100B-5243-61E9-2B00-000000002202}30684568C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000059261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.958{67EB100B-5243-61E9-2B00-000000002202}30684568C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca 10341000x800000000000000059260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.958{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.958{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.958{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.672{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.672{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.656{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.656{67EB100B-5289-61E9-8900-000000002202}4524712C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.656{67EB100B-5289-61E9-8900-000000002202}4524712C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.656{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.656{67EB100B-5232-61E9-0C00-000000002202}8646420C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.587{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC9CACC3E20BB4115678EC45B75F7E2,SHA256=D18FD059AC166CD8DE2FBCD96BDD3A1B1DFCCAF11F710B42FFAB69C5BD8C6B53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034999Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:21.267{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC264A6838121B575789B6547F88D057,SHA256=705790CA1113967BFC14B1005A37B4B0F5312FE8FD5DBE2364E6447DF095D9C7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.057{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.057{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.057{67EB100B-5288-61E9-8100-000000002202}37086856C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 23542300x800000000000000059269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.589{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96EB8F84B4EC3AFC6DB772B350E78DBB,SHA256=BC96EF1F1A409D4CC80F3C61A5DCF903037FE45F2C262B20A80380193D862112,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035000Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:22.282{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03ABA926A73ABAC7D2ECA32319D2454,SHA256=57D59AD4F49527E6929369F2A1B776B590DB5AAA4EFE3685AD19692CF8F49482,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:22.020{67EB100B-5289-61E9-8200-000000002202}41241576C:\Windows\system32\sihost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:21.922{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:23.589{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73179BF846884BD9B65165F88E41D96D,SHA256=3681892397B09666D91EB1945EDF9BAF87324C0D5EE258E94783280433CF3143,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035002Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:21.135{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50959-false10.0.1.12-8000- 23542300x800000000000000035001Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:23.298{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=463B9A6E726311BB6265C6AED5480FD9,SHA256=E4C40E79A4BF59BEE120C122F99BBFE254D807B4635CFE2736621B70EA0AB96D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:24.605{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8CC60DE8F43993D9C16BCAB9C8EEA7,SHA256=245797B9D46D625AA3BBD871E4DD0ECC5826CEB3FD171DDDBC88475B7FDD3A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035003Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:24.314{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BBD4577527AC42DA72D923272C1972E,SHA256=5FF65F6D95B707F6CBEED6D716049D53A507D265924DD39E8D06F153247F0388,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:25.621{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9AF7BE9A96D8C682F593651CD6AC03D,SHA256=53D37514F352243235E8105A3331EEDAB8302ED2B2C16D6015A28B6C1341C1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035004Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:25.329{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A260919F3D20B900074EACE305EA6AB7,SHA256=B6EBB014947A32CDCB805B6BBFC7E10459A061E2D82BCA792DA75910F44D6B46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.975{67EB100B-5289-61E9-8200-000000002202}41241576C:\Windows\system32\sihost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.940{67EB100B-5232-61E9-0C00-000000002202}8646420C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.940{67EB100B-5232-61E9-0C00-000000002202}8646420C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.940{67EB100B-5232-61E9-0C00-000000002202}8646420C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 11241100x800000000000000059276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.740{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\ADMINI~1\AppData\Local\Temp\Nmddfrqqrbyjeygggda.vbs2022-01-20 13:59:26.740 11241100x800000000000000059275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.localEXE2022-01-20 13:59:26.738{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\ADMINI~1\AppData\Local\Temp\AdvancedRun.exe2022-01-20 13:59:26.738 23542300x800000000000000059274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.689{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB1CC8425C590866DB21077D710E0342,SHA256=ED0EE7508A0086119618BC62D4A7F58295CC367F405240144727461A3DF24C2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035005Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:26.345{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C42DE26E2E76957AE288787A00A162,SHA256=090DA6A31A1F85B8536F3183053B7B21DDF225350EDE6EF722D82B56A208F38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:27.706{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75089F50887DB63A3A430ACF9B2C0EFB,SHA256=5360280A54FA3A41B60DEC6D866D0849FEC53FAC1146A58CE462AA266D687AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035007Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:27.642{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4F20721C2FBDFC56B005C78608FA4F91,SHA256=0039BBAE2D655762EFE13154A06303C46E273C7762E719FA1AEC5939841DEC51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035006Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:27.360{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899C50C19C947F3D49F33A86F3769A38,SHA256=7606EED08B0173AE6863FC8195A310B7FA3F0C4FB44DF4E1C24987148FACAB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035008Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:28.376{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4448A7207C867BC86A7BEC3C032F4E66,SHA256=08A5BFB3058E79331DC8BB00DB3B0B09ACE47DC0BE4AE8073E144D4C0592B541,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.924{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.924{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.823{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.823{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000059317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 13:59:28.792{67EB100B-6AC0-61E9-DA03-000000002202}4772\PSHost.132871607685769830.4772.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000059316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.777{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0B7B6EFBD0B9F546B85D2F5A49CCB9,SHA256=B53DD1A2A7359C0E8D38EF29929073C0214770AD77E7A05409736921FB82C24B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.761{67EB100B-6AC0-61E9-DA03-000000002202}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g1vtfyv3.4f5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.761{67EB100B-6AC0-61E9-DA03-000000002202}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ioc3hcaw.x4p.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.745{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ioc3hcaw.x4p.ps12022-01-20 13:59:28.745 10341000x800000000000000059312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.708{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.676{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.661{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.607{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-DB03-000000002202}4412C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.607{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-DB03-000000002202}4412C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.591{67EB100B-6AC0-61E9-DB03-000000002202}44125560C:\Windows\system32\conhost.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5286-61E9-7A00-000000002202}12646132C:\Windows\system32\csrss.exe{67EB100B-6AC0-61E9-DB03-000000002202}4412C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-5286-61E9-7A00-000000002202}12643200C:\Windows\system32\csrss.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-6AC0-61E9-D903-000000002202}70686944C:\Windows\System32\WScript.exe{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb4e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.576{67EB100B-6AC0-61E9-DA03-000000002202}4772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\'C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\Nmddfrqqrbyjeygggda.vbs" 10341000x800000000000000059298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.560{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.560{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.491{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.491{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.491{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5286-61E9-7A00-000000002202}12643200C:\Windows\system32\csrss.exe{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.476{67EB100B-5289-61E9-8900-000000002202}45246456C:\Windows\Explorer.EXE{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:28.487{67EB100B-6AC0-61E9-D903-000000002202}7068C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\ADMINI~1\AppData\Local\Temp\Nmddfrqqrbyjeygggda.vbs" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000059330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.709{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291CF393BD735AFA093085BCE53BAC92,SHA256=B3C14E96A9C8F06CE54918B82AFB7298228AF9EA0B2FA25B80E2053D04DB9F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.709{67EB100B-6AC0-61E9-DA03-000000002202}4772ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035010Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:29.392{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F4D37F77EADFFCE3B46A4D026834173,SHA256=7DF4A74EA8868867D1A445F45C27A383B05ED18A9074433C26951C2F46297F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035009Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:26.150{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50960-false10.0.1.12-8000- 23542300x800000000000000059328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.492{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BD0E50BE1D4F1B47D36772F63430BB,SHA256=C87254DF5A047A03EFC931EDA6D21E56DE7913CC3CBA2D2979FBE97D752CD86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.492{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C8FF9C1A57925AD95007F6DE3F7BF24,SHA256=12178BB74465971082AC36D8841F2CC02CD357788C07DE0EE0B12465AA40E89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.476{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15A828D049A46090214330A4DD3AB2D8,SHA256=BD0E5E8C6DB622C73BFD4CCC3C350995A915600A50D2B569D416052E55B4B6CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.408{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1CC6C0184D341D9C7AFB848F6BEEE2AA,SHA256=0C560F2BD01990436BF4D5A97058A5920E49BD7B16CB2A02C6551D7A46D8D3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.392{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DCBA8A32F93AA97A2505473D84434194,SHA256=521EF178EB0ED9006FB41975D8B2E979D370D1DE03606CE65D620B0DF8ABFF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:29.392{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3C92762529B2E93C57B6A17432EB5F0F,SHA256=35B4E076A042DCC5DF00A7B2C2773A3E5033DBDC6EFD7147CD81A9BEFEF2095B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:26.972{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:30.710{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46279C0545486848E4F965F1A6753E2A,SHA256=6340976157AE61C3581C92ADD6F86219A733289B9F9E22871F3F08F31E04C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035011Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:30.393{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90AA1E7A8DD4FB31A4B99AEE6CBECDF2,SHA256=4BE1D4B1BCB434219B0C69C7E7FBC54AD981A6928BB0A190D7CD92198ACC44CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:30.594{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=98E08A9F39E8446E64F859F093900949,SHA256=43F49C76F475C40A6B92DC0BCF169848663561DEB04BBF66427CA20E5782F821,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:31.764{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:31.748{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:31.711{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94943F59944243FB282D88406BC68C2E,SHA256=6644C0E7724977373BC80C717FA288D02F151CBE74D190970DFC0917614D9D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035012Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:31.409{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B856C18DEC55F766311C401885C0467,SHA256=353C04E6B8C8D8A7D179F5AFD63981353C0BF382115F8FDBEE5CD32F5A284C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035013Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:32.424{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D41A72E7EB5EA477ECC705F91B3BB823,SHA256=D93C9A8CC853E202A65C265AA15CD3D4BFFF35998240C22E41C8F7227CD7492A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:32.712{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC653494048D29480DC5D9DEB9C2411,SHA256=89FCC4CC02DED313425AD075FAF351B441008164F2178895CEAA2E987C51A4CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:33.744{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED565BCB4BB4045F21C724CD2A554DB,SHA256=D2A0AF9E0CF66DDD785793F5C14E32C5A358C3A9BF940F23E17C3540BBB06F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035014Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:33.424{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA67A89A21D0B0B33D705479E759DE3B,SHA256=EA998A55A81BCE18288A68B9C05E94D83406F5A42C921B58BDBFF025D6E599D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:34.765{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F4E5126C20A505BA46B16E975DA353,SHA256=A8B43E61EB952CBCA2D224E96E9FF5E8FCEF0F3600D910A6B2F922697BBE6A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035015Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:34.440{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17264B9740738E094FF485188D3352A6,SHA256=A71FF9582624F4C2CA0B38333618C69B33E1C81C51A44C55F3BB31E3F8723DFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:34.026{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Temp\New Text Document.txt2022-01-20 13:59:34.026 23542300x800000000000000059341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:35.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0411AFF1A5B7AD9C68AA591D56E2FFB5,SHA256=FB44E0D7BFDC4A57468A335D8958743CDB6D759BB8EF91ABCD9DB1A227ECF293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035017Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:35.502{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7C2D1A21F0C1B057CA257E906629CE,SHA256=30A9E94287941864533F69B70756D2FD31A80483B7E3EC369F6F8C12C4F7DA38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:32.829{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035016Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:32.136{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50961-false10.0.1.12-8000- 23542300x800000000000000059342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:36.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974CE966581630AB3E8D383E1BAE0DD6,SHA256=E17C0CB9EEB63DA28582082265919AC2F9E73211B01D37ADD953FAAC1DF5EB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035018Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:36.533{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3780917DD4C015C91139B4D994ECF51B,SHA256=121CCBB3FBA2C71DCF402A47FB793E8AE24B539254F0E394975DD164B0DBB7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035019Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:37.581{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05D526F3C804E0E5EA9CC46C2E25A14B,SHA256=62AE023D67B5703DD2A0CFA15D1DF5B6183C5ECC1577A7D714B7D023E040C135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:37.795{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B91CC1B9A6B4954CAEE212ED232ED,SHA256=D19322BCD1E3CF602F54D602AF42CB1306B7042959AFCC3692BFA8D66884EB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:37.681{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-101MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:38.798{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AD22E226B3CF9DA022B75B153849A4,SHA256=0148CDFF04920E47BAEB8FAE24DE83DE7A7227884F002211586F4478E58765C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035020Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:38.612{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91678D17013A30B1060E28478238A0F,SHA256=498833CC89167A7B6B952F6898AD4B47929DB0C3F8DA7E25CA1863A336034C97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:38.684{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:39.830{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0396227849EFB7504871943AA6BE23A2,SHA256=0878278D43D16D4C916BD3603707EACD3EBCD39BA4BB3F2E28140C9C6844A8A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035021Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:39.627{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D937232AEEF1D6D57E54B9B92A6CD1F,SHA256=BCDFA7D0299180C20587A9414EC906BE808116B9378CC81443150967B7153F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:40.848{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48478097CD50F2AB9FEE431A6C1F91A2,SHA256=C960296E0CF288239B48D0C2D8C915778E9AD3F636288453DF4259C68A1AF724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035036Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6ACC-61E9-5503-000000002202}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035035Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035034Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035033Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035032Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035031Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035030Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035029Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035028Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035027Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035026Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6ACC-61E9-5503-000000002202}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035025Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6ACC-61E9-5503-000000002202}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035024Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.737{8EF30467-6ACC-61E9-5503-000000002202}2816C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035023Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:40.659{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB5E5E607FC0E87AD14CC9E79364C370,SHA256=A839FCE1A7181D9BED83F12008354072D6B894CDE26FDE87BE17661A66AC7162,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:38.864{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62388-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035022Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:37.151{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50962-false10.0.1.12-8000- 23542300x800000000000000059350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:41.850{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1445C4628D12E05921192CFF3F3B21D2,SHA256=7F07A77E4252C5C1887AD08B39E9371040267529E7E1C2D586C6F67F8DF07B74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035066Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6ACD-61E9-5703-000000002202}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035065Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035064Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035063Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035062Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035061Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035060Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035059Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035058Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035057Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035056Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6ACD-61E9-5703-000000002202}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000035055Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9EA31B454AEECA0CA8B9970531B4D14,SHA256=56F04D9956F8721C25ADF86A5DEE07810355A3D1CB52C7A9CFB757D98524B457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035054Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6ACD-61E9-5703-000000002202}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035053Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.989{8EF30467-6ACD-61E9-5703-000000002202}4088C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035052Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25F548B49B5C648AA6C81FC45E7B9B7,SHA256=EB4D66447E86C8C9F0BFFB9700E2865860B92A44FC6A1982A123A3285B362E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035051Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.987{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A9729BF02105665422A228CFDC141E4,SHA256=ACD0C79098ABBF6C3CB68AC79D6B31578D32B17C5C29A368B86A5D25E70B7B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035050Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.596{8EF30467-6ACD-61E9-5603-000000002202}20563984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035049Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6ACD-61E9-5603-000000002202}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035048Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035047Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035046Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035045Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035044Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035043Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035042Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035041Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035040Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035039Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6ACD-61E9-5603-000000002202}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035038Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.409{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6ACD-61E9-5603-000000002202}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035037Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:41.410{8EF30467-6ACD-61E9-5603-000000002202}2056C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:42.898{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB63FF51E3C1C9D0E91D119B61B63D90,SHA256=4A3625AD9FFE453C623262791243505FAD3BB6D517DC3C2C27C3BF180D7985DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035079Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6ACE-61E9-5803-000000002202}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035078Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035077Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035076Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035075Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035074Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035073Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035072Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035071Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035070Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035069Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6ACE-61E9-5803-000000002202}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035068Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.846{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6ACE-61E9-5803-000000002202}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035067Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.847{8EF30467-6ACE-61E9-5803-000000002202}2672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:43.900{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCD57B33C8637A779652984CA38F3F3,SHA256=391C0EF68DCD79BA87CADB03DC146E181E95E8FB689F653325FC698E1A425481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035082Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:43.143{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED90951725E17F5BE6A75D5BEC77CD61,SHA256=3D935627ED933266FF45AAE7E0C995F2E7DE4CA98067FF2ECAF6C3E314B4D1D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035081Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:43.127{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9EA31B454AEECA0CA8B9970531B4D14,SHA256=56F04D9956F8721C25ADF86A5DEE07810355A3D1CB52C7A9CFB757D98524B457,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035080Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:43.018{8EF30467-6ACE-61E9-5803-000000002202}26723748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:43.768{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1E9F910743440F280D7BEC821C3FB477,SHA256=5ACBEC6EC66A15E5AA0800E3A5593F94051D5D3FC4E0123A18A6F6252778A05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:44.930{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F7837E7467525952D19F0F03D4EAFD4,SHA256=5C1F510CDFC846B58185E0060EC714A786FA2B76D06512A2F99433D2792E0B1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035110Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6AD0-61E9-5A03-000000002202}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035109Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035108Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035107Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035106Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035105Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035104Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035103Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035102Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035101Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035100Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6AD0-61E9-5A03-000000002202}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035099Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.768{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6AD0-61E9-5A03-000000002202}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035098Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.769{8EF30467-6AD0-61E9-5A03-000000002202}3384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035097Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.268{8EF30467-6AD0-61E9-5903-000000002202}5244084C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035096Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6AD0-61E9-5903-000000002202}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035095Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035094Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035093Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035092Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035091Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035090Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035089Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035088Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035087Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035086Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6AD0-61E9-5903-000000002202}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035085Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.096{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6AD0-61E9-5903-000000002202}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035084Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.097{8EF30467-6AD0-61E9-5903-000000002202}524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035083Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:44.065{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1D202B908DA728A6B1E689260E33983,SHA256=98A075764755A7D5E3D309D5C5ECB60954700A460A523CCA9CC08DD72A2D2BC4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000059362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00603c5a) 13241300x800000000000000059361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d80dfd-0x98380333) 13241300x800000000000000059360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d80e05-0xf9fc6b33) 13241300x800000000000000059359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d80e0e-0x5bc0d333) 13241300x800000000000000059358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000059357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.447{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00603c5a) 13241300x800000000000000059356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.446{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d80dfd-0x98380333) 13241300x800000000000000059355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.446{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d80e05-0xf9fc6b33) 13241300x800000000000000059354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 13:59:44.446{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d80e0e-0x5bc0d333) 23542300x800000000000000059366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:45.952{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2637BF35FF706D30E1B3AE049D7C9783,SHA256=6B64A7522CEAC120EE6B19BE15D76850AD33170A0B9071E6922735F36D252656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035114Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:45.424{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F81FCBD1EDE57FE761BF96BDF9EFBF3,SHA256=9C6217F07CB652C7A10EC31ED42C88E783ED52340BF0FF349F546DDB3AC87E69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035113Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:45.424{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D40164A783C0BB34A533BF5AFF9B864,SHA256=CE3DA1A5E41D8D36E022E293C658812F1D27BB6B18E0B3184DE0E4BC8B9B679F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035112Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:42.230{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50963-false10.0.1.12-8000- 354300x800000000000000059365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:43.902{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035111Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:45.050{8EF30467-6AD0-61E9-5A03-000000002202}33843548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:46.967{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F4230BAE91D39BEAA7787EA9D38914,SHA256=60ACB40F455F6F368A9B9973E74F52B280BE14BD1FFC0D5258634F42F3DBEE2E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035128Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6AD2-61E9-5B03-000000002202}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035127Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035126Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035125Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035124Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035123Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035122Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035121Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035120Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035119Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035118Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6AD2-61E9-5B03-000000002202}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035117Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.955{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6AD2-61E9-5B03-000000002202}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035116Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.956{8EF30467-6AD2-61E9-5B03-000000002202}2432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035115Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:46.393{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C66EBC73D3E1662B57D0222B444BD283,SHA256=F7EC2B98002A88461A46A9C0BA9B01423ADCCA878123643A91516E517ABA528E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035130Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:47.971{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FED9C38367FE34F7FFB92B93E8C4A4A,SHA256=053E0A6CDD6C63B72D5DFBCFCBD813F0B4C697E4828042CB37C5A3D5927B95FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035129Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:47.408{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DD2B8AB3C28761AB3FCA713A2D634BF,SHA256=2B82948CE37D84FE02BF341F3353ECF0FDD196755884B8F9AE7473BF9C826FC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:48.997{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=555670FC93787267DB7A345EDC820920,SHA256=EDC711EC2903620FF7B2FE8820926F23428849A2A9941D8FEB74810479C6751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035131Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:48.424{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C295B05F9888DB488102CAA9A11A3C50,SHA256=AEBFE638870A63FDF18E2ACCB40103AA1B05E12E48AAA625AEB5A39FED620A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:48.328{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:47.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA57F7AFA075A9A491984E70C675AA47,SHA256=1A17B1C4531BC04124A305F7688AB670CA03BA99F19CCABDDAE3E4B73F0F3DDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035132Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:49.440{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C9CE7B5BB94D8E978C7F1E382ECC8DD,SHA256=72F8308692E581E15BEFE856CACD4EB523BBC1BA29AFF61F523E566D5A4FF11E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:48.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D32DF8F1202F5032ABFB24200CA9E8C7,SHA256=C472F89FF3D9508FD83F262375546E6D36F2AF605F4472691CC84E061C57429F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035134Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:48.261{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50964-false10.0.1.12-8000- 23542300x800000000000000035133Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:50.455{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F28F2E4DE0A09C0CC13B5D86FE6EA46A,SHA256=61A91D38FD304544441346917CD79574E33AFBE1A895DE90AEB748D41ECD66E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:48.062{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000059372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:49.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3417A18DCE8D328416AF99D9B012BFAC,SHA256=B2499C136009BC8574112330EEB2DD97DE236FB5A8B8BC7A281CE45DEEB7CD7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035135Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:51.471{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A791D8A24261887718145970A64C28BA,SHA256=88C941E09BC7F611DD7D2CACF5A66DCA91EC9816145CFF5B68FA70A669B674CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:49.899{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:51.012{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574FA74A7A4D156EA2A1E5BC91E43D4B,SHA256=ED18C9DD2930D492803AB62605219793FD9D75F1A7BE6DBD253F8D85EFB2DD50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035137Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:52.487{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B2FE733FCD244A65F72BE72011C4AF,SHA256=5C1C05081CBDC350D16E2CBE16F660ED51F9ECFB34952D90CD3958F9080EFF3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:52.027{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D09053009B080DB34C962E8EB91BD9,SHA256=2CF0A37F654A48CC2B208791D193D64DDF6BB57F60B159E011CAE696174C6654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035136Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:52.268{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035139Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:51.339{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50965-false10.0.1.12-8089- 23542300x800000000000000035138Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:53.502{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CCAF5FFB26826B40714B6F9F107ACD2,SHA256=17AC341B0471FF619D1ABAAE84245E8159BC7671BF180F8BB35BC0E0FC8FEEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:53.045{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421AA32DF22056BB9CF99F43DDF2B49E,SHA256=B0BAEC1BEC2C458B0A21E8A55CB5903B83CA3246373B5E63BB9C6F7DB1A3F1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035140Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:54.533{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DC2A056706593D900EEF395B5AC88F7,SHA256=B41513DF111531ED4224860FC942DAE3FEA8D6D596182C2F5855EB5FBE182D54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5286-61E9-7A00-000000002202}12643200C:\Windows\system32\csrss.exe{67EB100B-6ADA-61E9-DC03-000000002202}3924C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.911{67EB100B-5289-61E9-8900-000000002202}45244724C:\Windows\Explorer.EXE{67EB100B-6ADA-61E9-DC03-000000002202}3924C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80267|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+17c29c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284513|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c540|C:\Windows\System32\SHELL32.dll+1799be|C:\Windows\System32\SHELL32.dll+736d1|C:\Windows\System32\SHELL32.dll+765b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x800000000000000059379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.852{67EB100B-6ADA-61E9-DC03-000000002202}3924C:\Program Files\Notepad++\notepad++.exe8.2Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\simulate.bat"C:\Windows\system32\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=460294BA06DB87C19B6755D2D315DCC2,SHA256=F4921855A22003A8979DF81532BC4F26AF50E8357B9DA2335CA2309012A0D5F9,IMPHASH=CE86A23E612B007E34CBDD39A996AE98{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000059378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:54.064{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4601594EAA363827DBA2B1324C8D0524,SHA256=D8CF3F9E213176AE52EE3E4645A93A8B0C345ACFD26B9CE80E14D80E0EF0BE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035141Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:55.565{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3870B8F7E6EE1FBE6C3EAF7D74AA53,SHA256=304FC8F48C1C25763E1EE79C507E223EE73477E0D0AAE81A258D01C1AF3DC749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.880{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49DB9A4FB91B0CC229664249665B61C,SHA256=6E951D2BFF40FD3232C8A8B5FE976A8DE1317C2DFB6BEB1F30E2F0069234AA25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.880{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BD0E50BE1D4F1B47D36772F63430BB,SHA256=C87254DF5A047A03EFC931EDA6D21E56DE7913CC3CBA2D2979FBE97D752CD86C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.211{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.211{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.211{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.196{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.196{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.196{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.196{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.095{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE9951E71C2F6A94D35A58408746BC6F,SHA256=41169C77308C89162F23F2A5BB1D14965D554A9A8969B98B0EB0F35C5BA55F25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035143Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:54.183{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50966-false10.0.1.12-8000- 23542300x800000000000000035142Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:56.596{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14AAFBA1A23E9E2579C8AFDBD34AF66,SHA256=AE8B271824D94C66FD83391A2E580CC52E9A4312EA310F1A04A987608041B352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:56.095{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34CF7F397B294133EFE7B2BCD97DEC7C,SHA256=8C855532BB1D65252A586F08DBA30C418FAD90BE853DBEC8E59F01A6847706F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035144Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:57.612{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3788C01A729CB4B7AC6D4DB730F358A7,SHA256=36872A6556EADFF8DD027C0030ED315B6F2E660645D6935BFB7918359156005C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.882{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.882{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.882{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:55.876{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.096{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88D418E066F19C5ED71B630B575AD88A,SHA256=3E9341A84082B697FF7F31FE56E5EBF34A922ECAB300CBA9EF9D9C8F1E380B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035145Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:58.643{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BC8E02606A2D719FD603E9E91D7D96C,SHA256=40A28EDE67EFC5FC533D8B82DFE1615154F22315A66834613E28CC7B57D5C8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:58.898{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A4ECFD6886673FE1172B2C414EED6F1,SHA256=700EB9E3D095842BE1CB41A61545EC7EFBDB5C361C58F8F380611B5E62DF78E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:58.898{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AFB942820A76CABCA1C07324CEB0AA8D,SHA256=088BE1A6DA12BBF2879E27F16A4929297F23A9A54CB8C2FA060561F51085DE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:58.098{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6774FFED7152BF613FB3EB41030D810,SHA256=E56ED28677019B37E2B8E0F174505607EA1ECA296499E102A03F921DE02E14A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035146Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:59.658{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A246650D4469D0A2241597D3DD86B0CE,SHA256=EC4FCE0CB747FAE127413132958B1785DD46D068172D26294C3A25A865DCBC60,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.638{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62393-false8.248.141.254-80http 354300x800000000000000059408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.633{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local60353- 354300x800000000000000059407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.633{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local60771- 354300x800000000000000059406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:57.633{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local49507- 23542300x800000000000000059405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:59.129{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6EC60256C8ADDE448BCC339EE3AF7C,SHA256=B32063433EB021BB75E118BB53D33E6DEE6D80DA7BF63BB5DD984E74A814AE30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035147Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:00.690{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938FABBF6D511BFED1A3D7F455E1700A,SHA256=CC9BB56184722DC0DD1FC8FA21606A2D1D7629AC631AE5944B286FC5899D4AD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:00.166{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60AF41F238D96BF0F7D385BAF4E608B0,SHA256=FE8E8DDB67802F226F62039B58F163FF0A8FEFF93FE30768102F610DC323225A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035149Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:59.307{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50967-false10.0.1.12-8000- 23542300x800000000000000035148Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:01.768{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB3BDBD7D4670F342825B4B7AB95A79,SHA256=CFD18F726EF53BC20A2A6EA10F9EE07EE112D5A49F28126F552D2300A7D843C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:59.215{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-52606- 354300x800000000000000059413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:59.215{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:98c0:e1f6:83dc:ffff-52606-true7f00:1:0:0:0:0:0:0-53domain 354300x800000000000000059412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:59.178{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local52606- 23542300x800000000000000059411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:01.180{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD3AEBC3FF3BD31E0DAC58727332898,SHA256=F3CE7BAD101A2D06FC2E769FD4BE5C3F55DF0F109ECC32EB9144AF197D7BC522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035150Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:02.783{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E38422372BC3E0459008F2346ED3CF08,SHA256=2FE4F876DEC4C6AEC371D912612E3FA189C7F7980A18855BEF2E436664A8813A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:59.267{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-52606-false127.0.0.1-53domain 23542300x800000000000000059416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:02.196{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=488BB667EB84AAE039BE911F07DC3DB4,SHA256=3A128A71F0EF1205D308AD34DD6BD59B2DFCFB99F95EDD504953A1EA896D0748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:02.047{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=40E3E0FDB4B434ABE11234CF023CEF15,SHA256=962973822FCA355DB8671C56F99A8070487658084A0655985E1BFB2BC265BC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035151Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:03.799{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3B8E86E4EB2E8FBDCEAC7B605F8503,SHA256=7E94B792EF39FAB69E6ED6A94EB97273D3761326A95B9CA41AEB5BF982935481,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:01.780{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:03.210{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB6FB3E6EAE4F219C59AC860E684376B,SHA256=DFC51ED74E8BDC3ADCC8C586000657DA1694E761B1CF2071403360E93692A4FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035152Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:04.815{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47EB572E0ABC3894895A74A7E22E56F,SHA256=D1702851CAF65DD1C060C4CCE0B3222667F98B07E2D24209234340FF7C564E27,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.778{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.778{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.763{67EB100B-5289-61E9-8900-000000002202}45246984C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.763{67EB100B-5289-61E9-8900-000000002202}45246984C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.711{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000059451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.711{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000059450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000059449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000059448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5289-61E9-8900-000000002202}45244576C:\Windows\Explorer.EXE{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5289-61E9-8900-000000002202}45244576C:\Windows\Explorer.EXE{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.680{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.649{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.646{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.644{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.626{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5289-61E9-8900-000000002202}45245584C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5289-61E9-8900-000000002202}45245584C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.595{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.579{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.563{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.574{67EB100B-6AE4-61E9-DD03-000000002202}7060C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {24AC8F2B-4D4A-4C17-9607-6A4B14068F97} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{67EB100B-5232-61E9-0C00-000000002202}864C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x800000000000000059420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:04.244{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FECA1EA732687EC793C8526BF306C9F,SHA256=1B81677BA97A5FDCA199AD4DC35EA464207C1816CE2522C1BDC2891800BFB9D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035154Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:05.911{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-102MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035153Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:05.815{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974BE049256DA035C417BFBE17EBD88E,SHA256=C203B8BAB045C7CDCA241F7624EF1B5B3F4EDC32F421BC5F9C0D8483BE5414D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.578{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91FC334216C0C08EA162543FDF359B3E,SHA256=544FE192C057BBF271395CD84BEC6A17AD17959DBD67D281411F099F6655C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.578{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F49DB9A4FB91B0CC229664249665B61C,SHA256=6E951D2BFF40FD3232C8A8B5FE976A8DE1317C2DFB6BEB1F30E2F0069234AA25,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.409{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.409{67EB100B-5289-61E9-8900-000000002202}45244700C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000059468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5289-61E9-8900-000000002202}45247052C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5289-61E9-8900-000000002202}45247052C:\Windows\Explorer.EXE{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.394{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.378{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.378{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.378{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.378{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:05.342{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96DBE58DE2C7E4AB0C72F9614A5210BA,SHA256=0EB524952AB2F06C9D7D8FCD3D86632E4CD2256DC313667FD2D7BB5CB58C4D8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035156Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:06.924{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035155Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:06.829{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=303B1DA3A27D931A993C14A12CC02AA4,SHA256=5B94D7ED25B5D79343C7C22C2AAB90832F7D5C342A764BB3D569BBB3E9E4A63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:06.741{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\simulate.bat@2022-01-20_140002MD5=10F76DCD089682A735CA50BA9DC8DECA,SHA256=9234B6F5965B869B684EE6A1E75D44FF50A0E2A4FDFD4FA4145EBDBD6FF0F246,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:06.725{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat2022-01-20 13:59:34.026 23542300x800000000000000059474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:06.725{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:06.362{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA5D05DBF4615E5E640DC4074FBCE773,SHA256=955BB3CC1907DA4729CBEB97AFDCEAB8B5253D6766BB90F37E3AEE6B75E8C328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035157Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:07.844{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3817C25BFAFEB85C8C44D875136869,SHA256=E6C4A14476E575F06BB4D84F59F1B5D5AD2DDD14BD0BB9D5BADB6B3D90A37F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:07.380{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC503CC2A2548E854784D430D9AE7295,SHA256=6782F952BF5081A8A8DFCC5956F495066DA77275B4B3736CE6F4B8C94C3B0C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035159Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:08.844{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6C441F4A275E7B137E4E71550B580E,SHA256=8F80587940B53EABD9D809C09A381E476383036192F4CC678956DEEA52A9589F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:07.003{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:08.400{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED8826AD84F8302AA468E50EE3F1373,SHA256=D311EA6751360CCC8F87A6CBB93B4EC998AA5FAD67CAB8A5BADEEB03DFED9208,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035158Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:05.072{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50968-false10.0.1.12-8000- 23542300x800000000000000035160Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:09.845{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6981A8367DA4A1B9818A70539C0D0D45,SHA256=6561B17BBAC12CF9F186066C3532157EB4160584E73504F8EA36E2DCCB64928E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:09.401{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD604C8342895F9D2D267B45E5D3977,SHA256=1F2FA2BB49DABD77C8AF61CBFE33CA2890FC81FB738392F7036D23F106D76FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035161Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:10.860{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A43E802EAD1A290D51C395ACD3B20911,SHA256=6BF066E0F3374D053665CDB8CBD1286F53492152C46ACDC858E4FB8FD6F6F28D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.733{67EB100B-5289-61E9-8200-000000002202}41245608C:\Windows\system32\sihost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.686{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.686{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.686{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000059485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.405{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B859303A83C4BBAA1FDD76498F55C6,SHA256=9C958F38FFEF345CF5AA97F7DC40DB10678162AB9A51F60FE733052FBBF0678A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.252{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.252{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.251{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000059481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:10.251{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000035162Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:11.876{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D29B5B4E6141A02DCF86800616319E,SHA256=4E9BDE3F1511D4795A90B6014CA5D0A0FE7926F146CE611DF926F46110E54846,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AEB-61E9-DF03-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AEB-61E9-DF03-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.876{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AEB-61E9-DF03-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.878{67EB100B-6AEB-61E9-DF03-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.445{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B90E51BF335B5E24FC2F51AC6BCAF4FA,SHA256=3FC7CAE2128696857B4D86BC06BC9D54EA963B4A42EE97AE40C16CFCA3989A2B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AEB-61E9-DE03-000000002202}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5230-61E9-0500-000000002202}416544C:\Windows\system32\csrss.exe{67EB100B-6AEB-61E9-DE03-000000002202}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.102{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AEB-61E9-DE03-000000002202}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:11.103{67EB100B-6AEB-61E9-DE03-000000002202}6576C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035163Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:12.891{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD9132A85218949849E33370DD12ED12,SHA256=C17ACAB086A598EF16B5BA613A07F3D0204073B174F8D0B3248E635803486B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:12.476{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45DE448541F740DB34CF474C0B48729,SHA256=E08E4153FEB419967D53062D9EACD8F22DDC66CB404437A2001E52D841E91B96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:12.193{67EB100B-6AEB-61E9-DF03-000000002202}19041020C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:12.108{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0ED576C9104E66697441EDB16E5599,SHA256=FD50ACB80E255F96E8005A90AA419B85F35DF634B6740AC10AB9937A64770565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:12.108{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91FC334216C0C08EA162543FDF359B3E,SHA256=544FE192C057BBF271395CD84BEC6A17AD17959DBD67D281411F099F6655C9DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035165Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:13.907{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F93457E3E7FB05592B4913E3298FD3,SHA256=BDDD144638CF1B9979CEDD0D0070C5868B9C60B0535A071673BD2BAA104B8C98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.494{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3BE5722E070CBB0780B7321EBD7567,SHA256=86E5FC8256614042E8EEA7F243548149C4A79B5FBFC6F302EA168434B6203D21,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035164Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:10.290{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50969-false10.0.1.12-8000- 10341000x800000000000000059523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AED-61E9-E003-000000002202}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6AED-61E9-E003-000000002202}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.207{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AED-61E9-E003-000000002202}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:13.208{67EB100B-6AED-61E9-E003-000000002202}304C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035166Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:14.922{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15AC5E69C5DC7D960647C56D3F7159DE,SHA256=D945AE487B32ADC53C84549A11E3751C1F414C70ADC50FE343C854D1A430C9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:12.742{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AEE-61E9-E203-000000002202}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AEE-61E9-E203-000000002202}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.583{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AEE-61E9-E203-000000002202}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.584{67EB100B-6AEE-61E9-E203-000000002202}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.504{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29BA5B91AF80F6E2CA418666E8C25CD4,SHA256=10C24B45F3E447ECF9AA8A2CCB16765BB023948A22A8245A5B9375BD5CC96D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.379{67EB100B-6AEE-61E9-E103-000000002202}11406956C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.231{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE0ED576C9104E66697441EDB16E5599,SHA256=FD50ACB80E255F96E8005A90AA419B85F35DF634B6740AC10AB9937A64770565,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AEE-61E9-E103-000000002202}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AEE-61E9-E103-000000002202}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.094{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AEE-61E9-E103-000000002202}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.095{67EB100B-6AEE-61E9-E103-000000002202}1140C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035167Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:15.939{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D948C25636A4509CDE893086521CB0A,SHA256=A44AE53BC3A968663C67F9B700A86B9DDCDA8CE05FEA42443CD9EB0C9CD9C28D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.370{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62397-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:14.370{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62397-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 23542300x800000000000000059556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.599{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDF034215E03BFC607E9C3D859272925,SHA256=0BEF10E4823F5672BE0047DEBF505C319E2059370A5A25DAADCE66C78E81CB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.530{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7285BEE855FCE3DE2506931E1198CBF0,SHA256=659584E54AF7D1750E57E9FFE8463A0B2C91FEC9D13984968AD258DFB9A9F28B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.383{67EB100B-6AEF-61E9-E303-000000002202}6205812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AEF-61E9-E303-000000002202}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AEF-61E9-E303-000000002202}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.161{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AEF-61E9-E303-000000002202}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.162{67EB100B-6AEF-61E9-E303-000000002202}620C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000059545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:15.071{67EB100B-6AEE-61E9-E203-000000002202}56841000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035168Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:16.957{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B1D640391DCF8CEFD88EC42442389D1,SHA256=A3236CDA0043206FC51A082FDA745585CB6BD8E4640D3386B0822AE6AF9636B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.882{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.882{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.882{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.877{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.876{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.876{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.876{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:16.545{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8800EF3809EF2771414D3DED6FEB77B7,SHA256=6E18BD2D497CDA74F92069E28254B6349E54CD0E3E71C2C3560E3A0D0F1EF7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035169Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:17.969{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96D701377B2B958CEB47B655CB9533D8,SHA256=7D35590B359721E4DEAC25C839899764EDF5ED079B077B437226F39233AE3B47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:17.581{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2ECE2D24B088D93B873F42C87EF04E,SHA256=9981947851B32B18EA557845822F39C6427DA45FA3AD35445EAA72CD39F1DE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035170Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:18.985{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2152760321EEECF44F5F84669CEF4323,SHA256=02063E63393B1B39E6F129EAFE0EFE3294FB4BC5801C5C954CC9DADF8A62BD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.640{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC9775D41DE5B399BCF8CEF4FB0FD72A,SHA256=3D595B8E6BDC0FBB0021A7C1193839D336EC20061409E3333DEF84AAEF4469C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AF2-61E9-E403-000000002202}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5230-61E9-0500-000000002202}416544C:\Windows\system32\csrss.exe{67EB100B-6AF2-61E9-E403-000000002202}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.400{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AF2-61E9-E403-000000002202}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:18.401{67EB100B-6AF2-61E9-E403-000000002202}4468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000059579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:17.748{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:19.654{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D4578AC83AC6099E3FEB8FF1792C89,SHA256=81219559AAE1293161F47FB2CE8E4EB79B7AAE7CC3B93E1EA8C7926D923CB76F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035171Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:16.228{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50970-false10.0.1.12-8000- 23542300x800000000000000059577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:19.408{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=678B4A1BDEEDC0F2C168C265C831BA06,SHA256=CE2D8775BD62BDFAA1F7E613CC6B30A250F7FD1C291095868C582992AD7447F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:20.655{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF23C23021D97DD29BC4E43EE725F00E,SHA256=7D1CDD5A3FD0C0A52F5C25C24C98353F968C83BE30029C74819F2F2C14D27F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035172Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:20.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3BF12B2EDA28200FD1088FABF1F2EFF,SHA256=8431C077153C3847E119A59EBA457C3E5465F521857BFC4BDA233C1006392BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:21.670{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1B9BDB8768BEB71D3F360A4507F44F,SHA256=A6A586722A1CE9031DA97B03556FF32D115CCDC79B9EEF0546DD4DC70CF7E95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035173Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:21.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7887D256ACFC8F4EF051515B53825D,SHA256=592BB6563BD2C22514D24C12AE4C76DE257CBCB05A0BE55366D4AD538AB4D120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.686{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAA2C2C032EAC2171F6271054141F7B2,SHA256=560EFEFED009AAC7F181E5BF1C46B6FC304FB0C504148E829B296D15144F40EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035174Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:22.016{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A53B27B4DF769BCE2DF9B7EA6946B88C,SHA256=E849782245AA46A7FC1F8AFB2BF20AD7993FA907A9F35D5083A04C31FCD01147,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.438{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:23.686{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE475D2A60F08B02268B568774020DCC,SHA256=99D3AF359143570B7FC479C32FBEC5CEA1596778894C56590785313457129A68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035176Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:21.306{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50971-false10.0.1.12-8000- 23542300x800000000000000035175Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:23.032{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EC5FA273675BA537E8A04F9FE201B40,SHA256=18CB68C6DCEE6DDC541586172B7602C691203804A199317CD31D2449F0102385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:23.303{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:24.686{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2050ED7C595D075760450BBA294911F3,SHA256=2CF203CE3375777577144BBC92A21720112682F78D1B0815F48652FFA7F0D5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035177Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:24.047{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5EF2362AEB9BC7371603A0A7D83487,SHA256=29387C9FD2BC0914F786EAA2BE3E5AC5A7539123FD17B703D1D07ABAFF63F561,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:25.686{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4907E29E03A2FD02C1DB5722853517,SHA256=EB2505D9591ABE8411E3BDA9E7845FB4F61F88A3A5563F59DF14841E50F8AD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035178Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:25.063{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5695F0D8015F1AD20E7788DF969D7CEB,SHA256=36593396204CB8F37D2E46853EC19E3328C8F5DDBC3E94A11A687FC464B60A5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:23.040{67EB100B-522E-61E9-0100-000000002202}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62400-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local445microsoft-ds 354300x800000000000000059594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:23.040{67EB100B-522E-61E9-0100-000000002202}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62400-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local445microsoft-ds 354300x800000000000000059593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:22.959{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62399-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:26.707{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27DE114A8FD33FF5AAD8EAD21642422,SHA256=F60C2BC82406F48B90A0697D8DA6CC9F1F8CDA93A7E3FCE97649C4137B4CA470,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035179Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:26.079{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A3FB8A492F81B5DFF39F27CD5B3B90,SHA256=7C40A136F7018E995135F78F0C75C570D17221E6D0131D57876B18844766906B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:26.123{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-522E-61E9-0100-000000002202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32475|C:\Windows\system32\lsasrv.dll+302fb|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000059599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:26.123{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:26.024{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:26.008{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.723{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7F293825FB54F4EB0580F66ABBA7024,SHA256=18FE5F3AE3808A33F916A8BFF73ABFDC6DDAE98B0A92F2E181D32AC6A16FE89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035181Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:27.657{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=54EA1A4CB8AB35358ABF1404D5D249EE,SHA256=8FFE70182F28B705208D3BBD2FCF0CBD4E019255008535455EE86EA3735BFC2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035180Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:27.094{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8FC47BFD32FA5B19EEBE0838DB72EAD,SHA256=0E50F21A58C15AC8E4AC035705510159142D4B7A905F7A32D9F272149A4ED041,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.686{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.686{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.024{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFAE191D4272A1492673F6281690ABEE,SHA256=BA4C82782A9F3B89880F4D18E4208C59965B1E587E0FBBD27A032371A78A2508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.024{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=213E8012BF8C06792C7BD9B9493D4744,SHA256=4B6198488C9BD46DFDB53D68573DD10EE8AC0A9B5E07CC097C3542A7DCE262F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.904{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.903{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:28.724{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7886720545C8C30A46C944E21598C07E,SHA256=4A2DA97F5C13B8E79CF446EAFA91678FF45E014F50876D1C87E4A2EF7E674528,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035182Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:28.095{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=285999CDA71F643270681DE0CE25ED94,SHA256=BF294AF3DC962A0FE2C72905F1BC54882640505600821A95474FA1C6788DCD53,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:25.766{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62402-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:25.766{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62402-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:25.748{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62401-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:25.748{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62401-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local389ldap 23542300x800000000000000059633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:29.724{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4E3B692043960D341E46528BE106CA8,SHA256=5B55333DDA4BE01D8704E1AE7673E6990ED674CCC21F2E58D6A77A3EFC6196B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035184Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:27.196{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50972-false10.0.1.12-8000- 23542300x800000000000000035183Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:29.110{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF1D6E053A21A8D7EBA9AC87ADABEF5,SHA256=7E9E9E41529FB3F0316936C169D36F5D8893830D207DC133CE64A7C7AD9B9C75,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.421{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local61981- 23542300x800000000000000059635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:30.725{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC217B730BF73EB30989347C275DAE93,SHA256=4DFBB70966F14035A21A337AACFB0208D4B4B8C0D89F9D0CADDFBB39F2FB501D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035185Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:30.110{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F1F72755D381162F03718127F37E6AC,SHA256=B6038007347EB27EC63156617D01DEB7BC47C7D73663104EC3C62379F8D2FB4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:27.974{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:31.740{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293361430DB05BCAA03B7C4E90994E2F,SHA256=AF7D4EFBE1411E8708D38F61F5809277766AC1ACC3FEA316806F9B883986958D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035186Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:31.125{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DA5923AEDC8395EB27B757D9E7A19DE,SHA256=12D9EE421F42E9CAC56C94A993B0310D6C2B47FCD2C4ED255AB9F1036CB260C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:31.708{67EB100B-5289-61E9-8900-000000002202}45244676C:\Windows\Explorer.EXE{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a20|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800F78EAFF8)|UNKNOWN(FFFFF5DD3A6A5B48)|UNKNOWN(FFFFF5DD3A6A5CC7)|UNKNOWN(FFFFF5DD3A6A0351)|UNKNOWN(FFFFF5DD3A6A1D1A)|UNKNOWN(FFFFF5DD3A69FFD6)|UNKNOWN(FFFFF800F7602503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000059638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:31.708{67EB100B-5289-61E9-8900-000000002202}45244676C:\Windows\Explorer.EXE{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55501|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800F78EAFF8)|UNKNOWN(FFFFF5DD3A6A5B48)|UNKNOWN(FFFFF5DD3A6A5CC7)|UNKNOWN(FFFFF5DD3A6A0351)|UNKNOWN(FFFFF5DD3A6A1D1A)|UNKNOWN(FFFFF5DD3A69FFD6)|UNKNOWN(FFFFF800F7602503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:31.707{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF60f4ec.TMPMD5=283F9FDBF815B232B94D59794C934AA9,SHA256=B37CFCFA48EB0442B1F71D7D304494C1CC387CD0F72EBE5907C6B99CDC4ED8C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:31.471{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:32.757{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBBF4AC05A781B935F2223A647F5D9E6,SHA256=E7A78CAACE3606083DDF178B6DEFD9F9F2CCDDB9AEA372D621D97F279BC91AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035187Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:32.142{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A8F4A3FDAC0223BDDB4A0FBC3D84D2,SHA256=916532691C00D06A968CB9C33B7B9FD64B79AA23814824AE1ECFD766A70CD5C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.773{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D924C60D2DE9241E02C8D7C63209877D,SHA256=7B9C8C87E19532B3DB95EB52C2811A680B07686AEA29345A60A5EDCE510D3D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035188Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:33.157{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F154CA23A478A1ADB5C4EA19D1195BC7,SHA256=E741C8F0F295A3A1735BEBF6AD18E975A27AFE66FE810995EC6B651C0DCBFDF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.088{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:34.790{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B540A50DE9AFB5BCC3BFA8A72092A74F,SHA256=B29531B1BB637B6AD69AFF2661CD9C47C2AC54A467039DF6EECE7CEE31CFE28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035189Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:34.172{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B7D5AF4CDCF885CB0C7024B91AF787,SHA256=829A0F2FE8F702D203ED770FCFF61A8F85312B15C7051C09C1A7B30FB58EF7B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:35.793{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=420A698E0140BCD64E8F00E0E3CE8006,SHA256=E9B3407A289C2BAAA4B81087FE34E582D4091BFFE60C43B26956592FDD5A7ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035191Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:35.188{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A10057FB8892ABAA995195FD58B0922E,SHA256=8DC368E39751C65A36CD8B3518D2FB9302E8E36B06B08EAE454CBA979299AE0C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.198{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62405-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local49666- 354300x800000000000000059647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.198{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62405-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local49666- 354300x800000000000000059646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.196{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62404-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local135epmap 354300x800000000000000059645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.196{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62404-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local135epmap 354300x800000000000000035190Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:32.290{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50973-false10.0.1.12-8000- 23542300x800000000000000059650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:36.813{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373EDA6728B34B19FE08BBD2E7CFFAD7,SHA256=8403A687847B5D16AB6839EF99568937A04151F1B20AEC8A3C8DA52E534DCEDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035192Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:36.204{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9A546C2868719D66149002D7E50908D,SHA256=A0B88DE18C760249766E7580CE4355D3F404F869492A14B02C95A6C9F7A2C22E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:37.830{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E95E5DFFFD736D2C82F5EFBE3CA2B86,SHA256=44846C12438EF9EA4C171FFA2D46EAC4FE6E65A2569B3A46372D7F48819F07E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035193Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:37.219{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE64BA23E3BD0435D879EDC37C0ED1EF,SHA256=BD6175140D5D0B0236427DEC1EBF8A717A903E233EF76101D3F1F2B4BFF371F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:33.878{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:38.831{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416772379DD3F23806B51DFC24C8026C,SHA256=970CB573D75EFD74E829808F2BE9F1F6D3F23F70386656541A1EAE2855A92118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035194Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:38.235{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8A019F82B19E7F8BD04820F80F32BFF,SHA256=C37F83408C5610D3556E472DA02AB7CEA38E1235669857190982CBD13202D409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:39.847{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB5B078BAD75491B11C131E0F079E09C,SHA256=E6677B16ACFF20AFE5405BBB46570C4BABF7BC9A82FE351D7333BBECFA977D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:39.847{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFAE191D4272A1492673F6281690ABEE,SHA256=BA4C82782A9F3B89880F4D18E4208C59965B1E587E0FBBD27A032371A78A2508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:39.831{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=355A0529B0F8A230D5562D7B930EF7A5,SHA256=B5F3B74D9848BC9EDE5486AE37FAE1EA8BB18E45F5F69958A6FC4DF049DC9BCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035195Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:39.251{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B6C287E167C6641B9622BECC811A9F,SHA256=D86086D4962B8D24C68EDBA5E32FB3F46CAD7C125DF51CB1D89B89ECBC81F03C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:39.212{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-102MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:40.832{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9DAED48EBCA3F82A761FB9B575715A5,SHA256=74DC7436C3F5A649D4AA6C2BAAFDA0623CFDE3B583BBE9D3E1103ECCF1C69094,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035209Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B08-61E9-5C03-000000002202}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035208Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035207Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035206Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035205Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035204Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035203Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035202Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035201Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035200Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035199Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B08-61E9-5C03-000000002202}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035198Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.641{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B08-61E9-5C03-000000002202}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035197Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.642{8EF30467-6B08-61E9-5C03-000000002202}2572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035196Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:40.266{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226EEFFACAFD92E8E5635DEB23266842,SHA256=51CE81F9511FCAC60FD2D281307C7B0E14907D20EAE2F6CD42F35EAB9E5FB29A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:37.832{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.67.65-28376-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local3389ms-wbt-server 23542300x800000000000000059658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:40.212{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-103MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035240Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B09-61E9-5E03-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035239Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE770FC785DDAF1E5F3F8A045431741,SHA256=78D2EE5030998DA4ACB3DAAA136E32DE95F6930FF76AA608AA997BC7956B73D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035238Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035237Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035236Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035235Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035234Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035233Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035232Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035231Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035230Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035229Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B09-61E9-5E03-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035228Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B09-61E9-5E03-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035227Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.784{8EF30467-6B09-61E9-5E03-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035226Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C7A44E9268163202C6DA3F36D7BCDEE,SHA256=D19581DA6467DE23511CE6BAFA057EEAD099CEA6C870EA62DED3C2D77404AF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035225Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.782{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2197B809E71A040BDC63ED5988759E,SHA256=0F6DF2EAA335B40D63D610A73087CBA4EFD5F4F9D3C15261263E65F7868A3D50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035224Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.438{8EF30467-6B09-61E9-5D03-000000002202}26042368C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035223Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:38.259{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50974-false10.0.1.12-8000- 23542300x800000000000000059662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:41.848{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6FE69EDCBA1E7CE8A61225619C3410A,SHA256=781CE4DB0E8CBC8C2D2195CB232748892F85DC9B96E568861E97257CB856CDBE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:38.928{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035222Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B09-61E9-5D03-000000002202}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035221Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035220Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035219Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035218Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035217Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035216Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035215Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035214Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035213Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035212Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B09-61E9-5D03-000000002202}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035211Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.266{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B09-61E9-5D03-000000002202}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035210Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:41.267{8EF30467-6B09-61E9-5D03-000000002202}2604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:42.848{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2E27CD461B4BCA83DB4229C7EDDF43A,SHA256=FC234411D1898D9CEFCDD9F133A19014EB327A9D6022E8B175EECF165D4A3F6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035255Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B0A-61E9-5F03-000000002202}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035254Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035253Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035252Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035251Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035250Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035249Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035248Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035247Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035246Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035245Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B0A-61E9-5F03-000000002202}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035244Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.844{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B0A-61E9-5F03-000000002202}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035243Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.845{8EF30467-6B0A-61E9-5F03-000000002202}2872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035242Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.829{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE770FC785DDAF1E5F3F8A045431741,SHA256=78D2EE5030998DA4ACB3DAAA136E32DE95F6930FF76AA608AA997BC7956B73D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035241Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:42.438{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2B3FE73C0D29FCE7464FA36F1D50A39,SHA256=196E9BB582D97C20C7CB14388BC3EF50C88E4BD40B4FD3FF07DE915FEAD13261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:43.849{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B4074EC2FFEB6240B07BA9FF69F2308,SHA256=12DDF175DE473CE0CD1A6204A1B45FF02AA456D7B477283FB4A95833A6C25A47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035258Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:43.907{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E637F7A264E0EDDE582316ED06180EC,SHA256=26515C99C240A7D15BDA910EA3546F0C4178CD6D676E30BFEEBB021F8F4B8914,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035257Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:43.469{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9C25C3D22BCA7A0BA467924521F515C,SHA256=39A08183780D65FA62B8426F7572A3E9D8325C84FC3BB541A40E431A5F95BD56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:43.779{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EBB877F086B9E0C7F2087E9BE33A69E7,SHA256=C70C945DB6ACA376A6B2D2ECE54E212A8D0E5773A90E1F779B01F2554216D691,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:40.735{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.67.65-27484-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local3389ms-wbt-server 23542300x800000000000000059664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:43.149{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB5B078BAD75491B11C131E0F079E09C,SHA256=E6677B16ACFF20AFE5405BBB46570C4BABF7BC9A82FE351D7333BBECFA977D82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035256Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:43.063{8EF30467-6B0A-61E9-5F03-000000002202}28722764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:44.864{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6865C5F9A9CD969AB0E8908B553B728,SHA256=4C362170D8ED45619C002B41A7EE195917FE101EAEF54F8FB0A5A8DC400EA0E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035287Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.938{8EF30467-6B0C-61E9-6103-000000002202}33923552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035286Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B0C-61E9-6103-000000002202}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035285Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035284Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035283Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035282Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035281Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035280Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035279Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035278Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B0C-61E9-6103-000000002202}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035277Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035276Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035275Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B0C-61E9-6103-000000002202}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035274Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.782{8EF30467-6B0C-61E9-6103-000000002202}3392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035273Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.485{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DF4A9F3355FC5C4016C31164247610,SHA256=4DF2D3B6BC239D7E730DCC78C938D87236AAB824751CF6C3DE2313B0F19E656D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035272Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.297{8EF30467-6B0C-61E9-6003-000000002202}24523296C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035271Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B0C-61E9-6003-000000002202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035270Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035269Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035268Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035267Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035266Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035265Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035264Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035263Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035262Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035261Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B0C-61E9-6003-000000002202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035260Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B0C-61E9-6003-000000002202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035259Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:44.110{8EF30467-6B0C-61E9-6003-000000002202}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:45.913{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24BF6E7F51091920A63581A46E2DA4D9,SHA256=D634BF41C520C57A6CB36DD4F07B62DD8C326C9E632AF3D625F3E26E9D07BDCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035290Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:43.306{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50975-false10.0.1.12-8000- 23542300x800000000000000035289Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:45.500{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D7A7AD5E603AE69A4FF64717C4DAF8,SHA256=3A2E1151F150A517AF927C916DC1B441F258A2F14A2C2E9B2932162DB6B57FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035288Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:45.125{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38D0692E0B6DAB17366CD266D31F9F6A,SHA256=D4DE16E02B39B185AB8A8B0B2C223F2222E28AACEFA4002E0B5F4F9BCA2F3A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:46.947{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=495BC9264304BC4ABF0530C3F14709C6,SHA256=61CD65B3D04C5D488FAF750D5C098E6BA45333B012BD6F982A4F0FC53AE1E530,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035304Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B0E-61E9-6203-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035303Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035302Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035301Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035300Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035299Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035298Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035297Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035296Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035295Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035294Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6B0E-61E9-6203-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035293Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.969{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B0E-61E9-6203-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035292Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.970{8EF30467-6B0E-61E9-6203-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035291Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:46.516{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7476ECA69D584ECB7058B53E71632B61,SHA256=6CECEF1747EA0DB23E23D808A31802901CFB67DBEB52AB5ABCBB3BE7E6721336,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:43.967{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:47.949{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69A7C43A9FDDB71042A80A6C7AD05AD,SHA256=9E1FFC9708466DF79CE57513BD211133AF7D1B9BE15F2C442D95F237D44F03AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035306Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:47.985{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8AE8C84A77799C336B643D946BA8D8D,SHA256=978BD78EE77C8007E1A11A1DA2CD2C273D41F869873898366FE27149C42457A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035305Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:47.532{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CC12DABE876B58E3F74BCB65687C3A2,SHA256=4B642010BC043B54D7DBC79332BF7D4643D4B65F16EBE170106BCF6484928A31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.964{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD200B33A4A8238ACC68F7F6987FFDEB,SHA256=268775CC663BB5D53E50F2ECCAF05AA3415117C4983A50CF480D1BFFE24F1A89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035307Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:48.563{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07D72EA22EEFC46F979A75FED45C1DC,SHA256=8E0C1FBB8CED2F06057D8C6251703D322E89CC123AD91DF6EF6946F8F110DA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.348{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.133{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.133{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.133{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.117{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.117{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.117{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.116{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:49.980{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF075A9B02E5CEF11AD1D497210DCEB8,SHA256=9159B51BE93632AE41E93C6E08C0CF32170A062BE4BA71882760796E3FB317D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035308Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:49.579{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB801270EB2350278AEC3491011D8072,SHA256=B4D5462FF1FD6A84C6EE0549F1A1B2344529DA6FD49CCB79D75999C2FD84955C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:50.980{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4037C73EB87449F285B9435D75505B,SHA256=E74789C3E8E09C859CEC68F2EDAFCA1A1846B1A82D75044E1DA20B25C5031F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035309Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:50.594{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EFB82C0D39A0F42C4AA4670D69475E,SHA256=BFD8C5D2229B944C4DD4EDD3680714628270CCA086D305EA5C79246D03EE44E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:48.067{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000035310Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:51.641{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF054AD3102865B555F08D9DA344E65B,SHA256=B35DF32E0E999E77932037D171BFA6CFCDE489057EF8F4F18E8A0C2EA47058CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:51.948{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:51.948{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035312Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:52.688{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FC0908A63845EE11EC484CF298AD63,SHA256=A1F456A294D1B08CF762DD83CECD7B9E69931A2875A9E47E64C780F80967C98D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000059693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 14:00:52.648{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\CFE4E044-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_CFE4E044-0000-0000-0000-100000000000.XML 13241300x800000000000000059692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 14:00:52.648{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8C533564-C8B4-4196-940E-64C9AB5816AA\Config SourceDWORD (0x00000001) 13241300x800000000000000059691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-SetValue2022-01-20 14:00:52.648{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\8C533564-C8B4-4196-940E-64C9AB5816AA\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_8C533564-C8B4-4196-940E-64C9AB5816AA.XML 10341000x800000000000000059690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.633{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.633{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:49.968{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.016{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E396D9FA4D1A0EF6A28695529D190ED,SHA256=BD1F6162C2BEAACDE3293DD197044EB532237B5E592FE912215A346C4636C624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035311Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:52.297{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035314Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:53.704{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC404D3599A06C17EC2249B4FBCE11F0,SHA256=2767794807AB2530B2262E99C8073FB1223C8476444144C244FB424ACF3C5440,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.480{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.480{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.480{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.033{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF0C320BE3C955EE66CD1E0E2110B5E,SHA256=3E4A8004DB743D0BD4ECDA86DC21C12C9559EF2A446851228DE97A2A8E2EB1E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035313Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:49.290{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50976-false10.0.1.12-8000- 23542300x800000000000000035316Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:54.735{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1881E0E08A4C0DF4A18D75869EF57850,SHA256=58CBCB325B30FC575EC584206EAABD032AEB8828743B24CD990E9C70EA27977A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.482{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C7EA6E0489B0D69EE483D68E3DF1F43,SHA256=5C0D372933ED926E93406C909DF20F11911B68A5650BC24416D4F079D37EA9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.482{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=485150128D62F81A820E133593F0D5FF,SHA256=542B1EFF76F9DD32853A474D454148BBCE76E957EAEA9B8F454D12DC2BC9521B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.482{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.482{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.394{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:9890:baff:83dc:ffff-60353-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000059731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.394{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local60353-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000059730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.389{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local56790-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x800000000000000059729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.389{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local63652- 354300x800000000000000059728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.389{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local63652-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domain 354300x800000000000000059727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.370{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62411-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local135epmap 354300x800000000000000059726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:52.370{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local62411-truefe80:0:0:0:4583:762e:c49e:9a52win-dc-tcontreras-attack-range-957.attackrange.local135epmap 10341000x800000000000000059725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.319{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.319{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.319{67EB100B-5230-61E9-0B00-000000002202}6486544C:\Windows\system32\lsass.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.136{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.136{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.136{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.136{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.120{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.098{67EB100B-5289-61E9-8900-000000002202}45244188C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.098{67EB100B-5289-61E9-8900-000000002202}45244188C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.098{67EB100B-5289-61E9-8900-000000002202}45244188C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.098{67EB100B-5289-61E9-8900-000000002202}45244188C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.082{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.082{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.082{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.082{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.066{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDADFAEA05F77529A699C18A066532D4,SHA256=F593EAEBEF3FE486977A95CDD0335A0FEA6C20DBB10E8AD2905F43B4B96177EF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.035{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.035{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.035{67EB100B-6B16-61E9-E603-000000002202}54722240C:\Windows\system32\conhost.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.019{67EB100B-5286-61E9-7A00-000000002202}12646132C:\Windows\system32\csrss.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 354300x800000000000000035315Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:51.353{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50977-false10.0.1.12-8089- 10341000x800000000000000059704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.018{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.018{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.018{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.017{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.017{67EB100B-5286-61E9-7A00-000000002202}12642436C:\Windows\system32\csrss.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.017{67EB100B-5289-61E9-8900-000000002202}45244724C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+204b94|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+1757c0|C:\Windows\System32\SHELL32.dll+17c29c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+17c436|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x800000000000000059698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.016{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp"C:\Windows\system32\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000035317Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:55.750{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9B9CE12D4F05A312C9798F9246D3778,SHA256=2DF9B844D2EED37ED576D380C0FE0AB0869115EA46BA751675DA58EE69C449E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.048{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62413-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:54.048{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62413-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.215{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62412-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:53.215{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62412-false10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local389ldap 23542300x800000000000000059737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:55.082{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=322C458C1C7E9654EF05AD4D5A063BCF,SHA256=E9D1F55E72B05FCAE9046EDA1BA3E2203844B57DBE6BA7688FE1F0F4A71BE564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035318Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:56.782{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED851892F02A4429D6D2A30BE888917,SHA256=ED99ED8BEAD356B364827F0752F87633E18AF0A4EBE6B63EC86311B764DDAD9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:56.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2169D7C20529BE0AB883A9D8B9A2CCF2,SHA256=5B6EB7E1916D5DF42F97BF212CEBA839DB04CD8733B5F628AE7B1624C1C2656C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035319Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:57.813{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22E69BABA4C68B1BE2CC8E2662B606E9,SHA256=8E5EAE65B3E174F493A29109C32BF6E1BCE2729289637E4907D323FA90549604,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:55.848{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:57.102{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59F169500C5761293864459B416172C,SHA256=FAE105CCCB889FD0B3CF5E6C33E85589719C103729DFAB5BDC01FAFFD05BAC8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035321Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:58.875{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9031061D5204BADB94945116CABE9F9,SHA256=9C474A3E3D2D2F1770568C8E0638D0ED152D19F0A1FCE5CE1EF3DCA525B9D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:58.118{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0813E57C2285E21B904A4CBA4D2F2A,SHA256=5784FEC796E2DD0F857204C0E83C82969BF578950591047125860D6CFDC13A1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035320Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:55.134{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50978-false10.0.1.12-8000- 23542300x800000000000000035322Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:00:59.922{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0BB38D660D3582F3A759AD50144602,SHA256=CA3723DC1B09BD5716D0EFC353B8A609DE0B1B88D991614FA1E4A1374AF7F3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:00:59.136{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB946CAE1EE159F7897ED078DD8BE81C,SHA256=ADC811D3E87555C1825E571C8C90B7F8B7D5BEE3748DB47015214132ACD67F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035323Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:00.938{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1C9141E7566458C1F17C72B4331FA5E,SHA256=9663A1EFA2633B9CC1E2E7C2BAEE6B9305D8D34B55B43E9CABCE1797F0BCA5F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:00.154{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4767F41851031CDEFFFD31B4B4DEE96A,SHA256=9ED3FDEFDC2568157588CFDFB0E763F9B4158E5B2719CC977A0751B189AB0703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035324Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:01.969{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BB36AC24B397A2E44CEF1B1AFAFC61,SHA256=A510E75E20DA74EBDC9AEC371AF1F5115C89B0E918453066F5F633C2F8309A61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.415{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:01.184{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA0E493EB59AB5EB710A867C460E223,SHA256=59B0DE7A0122F43C6BEC8FDDE7F2D86C497E5C64B9D01C7A80E5E0CAFC2ED5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035325Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:02.985{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C93E00F86FBF60BB824A784D0D1045FA,SHA256=F77C8487229986E51AB3A8F3A475DA52770AE5330D729E07D8D2625B76EE485F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:00.903{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:02.185{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEC3FA5DDD03910DBBE0579F065E275,SHA256=FE18C79867FE173FB4E43D704B862F1A9B672CA646610437CF13F90CFA5B4D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035326Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:03.985{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFBBAB7A899E90A6EA809CBA7CB9578C,SHA256=04608F57F9F1FC76E10A4495A7D79C0D32D417266CB07824EFE5E3B1B5AD1423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:03.201{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B829E2C2742D5A0836CD80221232097,SHA256=60FF29A5687898F519C444F7CDA1DFF72AAAF758ACDEA9DBAA74CAF7EAAF0FBA,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035327Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:01.149{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50979-false10.0.1.12-8000- 23542300x800000000000000059759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:04.204{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEE57F3A8B38DF7C11E36E5D3A3D60E1,SHA256=F5BC0C7034AAD7A8018BC6538E3CB08C6F532233C490450445479048062DEE9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035328Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:05.016{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3039D839F3CC59F4FF51086BCCB44BF9,SHA256=7B8C528E5628BD307368B843F2564682EC3526E0F7201CF087782475F44B057B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:05.219{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04F4515AA9425B351D943DE3FFCDAD41,SHA256=90E312EA242714DBEE0D605F46253E3F4CB9772325DBA561E9CAF579AFDF0832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:06.220{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=387BF3F0E1743D0377E21301F24F61BE,SHA256=744EBE66806533E1ACB39E0707EAC632AD35A2BA4CE43715658EF1E7EAB44E79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035329Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:06.032{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EF6D09304ACA2B8288E44094DE64A3A,SHA256=E8079195231085B05975E578DFEE4D2EAEB47783AEA2102939D3ADAD9C2AE9FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:05.955{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:07.272{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1537CE3B0943CC4F14EF66BA30E8D8,SHA256=7826AE8F85FDCFF2D8D5CE4E16E1D7D4796575E5AB54B2F2833AF90EA6E492ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035331Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:07.443{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-103MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035330Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:07.065{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F894D979B9AD54434BEDD31DC94F57D,SHA256=6C111A91C68E267AB25C414249F8763BAEB7AD65B1761329210A2F1AC94527E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:08.287{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EBE16C078125B7A2183E0CA1482013,SHA256=A3BB9F8ED7E2BC718E2C2BB0F6201FB6BEAE6DE998CCE6662CF1423E71222CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035333Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:08.457{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035332Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:08.112{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A97609231D0585947ABE282941C156EF,SHA256=1124E943815455C809BEDB8067197F7412666FD1ED85B334B26B890116FA3D96,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035335Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:06.261{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50980-false10.0.1.12-8000- 23542300x800000000000000035334Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:09.160{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E1C4EC70DE158B2D02C45AAF9FC2A75,SHA256=41D7C039963AB0A30C260FF1883C770FAD981D68DCC8FF9D55035A5ACD02311F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:09.302{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=493307F766BE837425CB2A5F809F44F5,SHA256=E69090A302B0D9DE14AA8EAFE0751FD3D81AA667C8CD08D7F6DDFB67B571289C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035336Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:10.191{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403BB8F332A9B60D43CDE9E934C6E0F3,SHA256=A48E309997361C71AF375A7006143238A8B2EF26CD61E6B65A18B3FFF5F1D92A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:10.474{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:10.474{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:10.474{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:10.305{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16B79DF3989D28E0F9D02701D06BB033,SHA256=D04049F3ADFCF45619D01C8308D8BC37C5E2D34B3CC0CDFEA94B129FF0705C2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B27-61E9-E803-000000002202}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6B27-61E9-E803-000000002202}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.875{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B27-61E9-E803-000000002202}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.876{67EB100B-6B27-61E9-E803-000000002202}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.320{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD21DA05E1DB7C463824D4AE9D0BC122,SHA256=F8152E46A473E0E5F505BE2C97F0CE0ED51D16E14ED795AFCAEA3AE3BBCEB93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035337Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:11.207{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2032FF7E5F827EE6C5D7C1DD7C11D0,SHA256=B040CC372F8C213D66C10316DE0961421EE1676C3F347E35FCFC017648808B48,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.157{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat2022-01-20 13:59:34.026 23542300x800000000000000059779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.157{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.batMD5=F485BA479B178AE1F2975C2AFDB9B8E2,SHA256=0DD8F1979B2C5B6D935CB5E5AAB463871C741DCF651B14232C66F6C85DBFAB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.157{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat.bakMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B27-61E9-E703-000000002202}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5232-61E9-0C00-000000002202}8645164C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6B27-61E9-E703-000000002202}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.120{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B27-61E9-E703-000000002202}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.121{67EB100B-6B27-61E9-E703-000000002202}6536C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:12.341{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04531AF247A73F2E87B0D2F444BAC03D,SHA256=5856BD72D9675080EF18E14933D08B321220339701CA882463287D33475E1A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035338Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:12.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A201B3337141C28B1E6807883AEF1E53,SHA256=B549F375E0A4BF266EEE9D4A00C64A56E70DC3CBCCE8D739253963AA4CE2A6BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:12.189{67EB100B-6B27-61E9-E803-000000002202}64045096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:12.151{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A027D7EB880A78F354137613F3D53FE9,SHA256=ACD9C7880C19D903D19D55D18F7B03227726F95AE774ECE2EF6360E730D5925F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:12.149{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C7EA6E0489B0D69EE483D68E3DF1F43,SHA256=5C0D372933ED926E93406C909DF20F11911B68A5650BC24416D4F079D37EA9C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035339Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:13.254{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF19A957D4EEFDB26CECAB400A4A893E,SHA256=9315BE8C891865F9C1B4DA67D2F200752C0F9382CF49AE14909D9C14EF54BEC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:11.849{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.356{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BB5CEB230C3E09FD569C6C2B9C6875,SHA256=F36A6EC65F927C62BCF17EACB91324DEA5926A37C0A2BC91DE719ED441F64E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B29-61E9-E903-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6B29-61E9-E903-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.225{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B29-61E9-E903-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:13.226{67EB100B-6B29-61E9-E903-000000002202}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035340Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:14.285{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0BEB3D7C2F894E95E28CDB4AE90DB5,SHA256=2133788C2B2850EBDC199ADACC12BC04B4AD7D81E9D3831C340F098F59EEF835,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.985{67EB100B-6B2A-61E9-EB03-000000002202}34321140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B2A-61E9-EB03-000000002202}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6B2A-61E9-EB03-000000002202}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.769{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B2A-61E9-EB03-000000002202}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.770{67EB100B-6B2A-61E9-EB03-000000002202}3432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.400{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00A83115845FF00D1EFBAC139171BEAD,SHA256=C3CDAB6B55B023CA0B548D6DE4A83C8A3CE5220C620EA8345613677CB83C112F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.327{67EB100B-6B2A-61E9-EA03-000000002202}32523360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.246{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A027D7EB880A78F354137613F3D53FE9,SHA256=ACD9C7880C19D903D19D55D18F7B03227726F95AE774ECE2EF6360E730D5925F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B2A-61E9-EA03-000000002202}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6B2A-61E9-EA03-000000002202}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.096{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B2A-61E9-EA03-000000002202}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.098{67EB100B-6B2A-61E9-EA03-000000002202}3252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035342Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:15.316{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E136707FC18C1D2CF0FBB0F1E12CA52,SHA256=91EC3C7619EF92B6A7D144140C6C29660395EBAEBA13350F47DB68DB16801B1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.385{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62418-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:14.385{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62418-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 10341000x800000000000000059834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.700{67EB100B-6B2B-61E9-EC03-000000002202}1005996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.671{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C70749B7E522EEC934DE6284A0AB5C7,SHA256=2D9BED671113AEC7946E7EB2EC8743EBEA3C9CFE4C73D5CE8531C91EA65A6AD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.452{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B2B-61E9-EC03-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.450{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.450{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.450{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.450{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.449{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6B2B-61E9-EC03-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.449{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B2B-61E9-EC03-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.449{67EB100B-6B2B-61E9-EC03-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:15.401{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C207C2113CFC6324D76160F77BE39B9A,SHA256=F26B4FB6B6E172CA7B9A8EE70C2D1837E00DD0BD40D0BFDBB627DD721299DD2B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035341Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:12.200{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50981-false10.0.1.12-8000- 23542300x800000000000000035343Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:16.395{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376000B338C6A8802FCE9D930AFF5D11,SHA256=4F24E95E512104850A5B658497C862EF0B45AEFBFEA2CDFE956BB676DE6D1FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:16.432{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69EB2EB0E01228644C90CFBD57FC466C,SHA256=1042AED38409A088AD1CE61637B052B633BA6FA253ABEF4879A9AF2400A29558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035344Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:17.520{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D723C2D07A0AFBD26EECDEDC42B605,SHA256=448C8B9AEDD1E296EDEF298FEE593EE92C5F2A972B8A6D2342E2948590475797,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.831{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat2022-01-20 13:59:34.026 23542300x800000000000000059843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.831{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.batMD5=1E5D3161A53FE1E9E454CA93A2F8F853,SHA256=D6F51FC8B71CC69DBCAC8F092A97D05B3C9A19711723EC599F38D0E4CE26D4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.831{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat.bakMD5=F485BA479B178AE1F2975C2AFDB9B8E2,SHA256=0DD8F1979B2C5B6D935CB5E5AAB463871C741DCF651B14232C66F6C85DBFAB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.450{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56CD5828E7B3F66FD5AE3DC4507BE19,SHA256=04FA71BD0D3035C17466A02779DCB3033DCD35364A4A50A20BDDEE3BFE3CF2DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.200{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.200{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.200{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035345Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:18.535{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A6C3E92BC6EC7274E2732ED99E6428,SHA256=67E626B3DA5958306A1EF81A398B7166481892DBDE067FC71C69047E48924BE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.518{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C00A62953413AE775AA5D7C64298ADC,SHA256=EE669695F9444B87B8AADC6A7C06EC6AB53B3481565961389010875ABF990D99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B2E-61E9-ED03-000000002202}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6B2E-61E9-ED03-000000002202}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.430{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B2E-61E9-ED03-000000002202}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:18.431{67EB100B-6B2E-61E9-ED03-000000002202}1780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035346Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:19.551{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC6847628C064E6149826C00A399170,SHA256=04395BA50C4AFB29FCD90D6A143C51F15646D83E88A1C983FA746C82FFDEA88F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:17.781{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:19.552{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=354ED3D48CF383AFE1FA9D8F619943D6,SHA256=8328136AB3CDA8971A7AE002DB92E3F35356CF139F31AF7507131BEB397AAF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:19.436{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BF73F5D5A1F599EE32A23647A5F1B116,SHA256=24D13A744A60BB35544489FB66DE162925B0FF711D7113614D6C935BA89C5038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035347Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:20.566{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E046DCF7177032D6AA9DB6412651210,SHA256=2B8E5F23B83105426CB8EC16437B871E2F5513BBA138BBD480E6DF9DAB86DBBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:20.574{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA7EBBE5ECC6C6DD8C12C39B061CC482,SHA256=BC9BBCDBC4AF9FE5C38095D72DD78F4B6FC648B865059E0C086EA2A04EA91658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:21.575{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60149994AD557E32B6C0F737791B2938,SHA256=411CF932A4AC1E92723F7CFACEC8A5C0BAE20564C90D36A45E87EAE796980EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035349Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:21.582{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC760C21B476DD60B3660BB894969510,SHA256=76D1BB50DB12B34D9A09BAAAFCE3CFDC9D3232A2A26A32ECEA49A93748ADFCC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035348Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:18.231{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50982-false10.0.1.12-8000- 23542300x800000000000000059859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:22.605{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37355694594736C5D4E98E8C4A2CC714,SHA256=7F09CFDEA48F51BBED8D44F921BD4E5E8C43D6CE92403077A3B149A2A9FA80FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035350Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:22.613{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5055467BC46511240746059D1F841A02,SHA256=702F9D6D2FDD95566359A1BE364E2337C54DB75570F4E32E79A29DFA286F65CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035351Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:23.676{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86F8EA834136ED14F162A0B6C4D19FC9,SHA256=AB177AF2819C23558771A46A7DA4EE508DB105DBDA3EB73133B50E953EA624C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:23.689{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92B4B711A8ACC1DACE99FDC15172AA1A,SHA256=487C9FC1B034DA99D68B4C3F5C4B0B7F9BBD451B5E5D39319AC7F8B565275724,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035352Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:24.723{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7882208EBFADB0E328DD8BDE808DD234,SHA256=90372D05414D2909731A705559F341B47967D77599C3C3E4F8C98022E1E7F960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:24.704{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEA0265325DCCC9333BB4B80961664D,SHA256=EF78A258C7BE37106C5AD9EFCA19C86CD70D793601D6672691D22C422B551247,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035353Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:25.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B28873CD7258456CBF88A3F9D62CCBF,SHA256=ED8CE1493D57BAF98407E72301169D99504278F57D74D7B917430353823E5966,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:22.940{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:25.719{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD585915FE0A817319D5DDACD5DF119C,SHA256=E4E6B7351AEFF5202DF509D0F80C9BB3FAD80D86EACB8ADC5F52E27CDD3B11D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:26.735{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2569CD1837B6DE2E932C37293E904A4,SHA256=6E111C48C9D2132CC6E77603C70C86BD02D5FD7B20C7A0ED60AA2AC217C2270A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035355Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:26.770{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C595CD8ABDC49C58A86D56F88BB27452,SHA256=F75E3269CC85E0E276386FFFCE11B408B5D87B8393CACF72AD04D77934A688B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035354Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:23.262{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50983-false10.0.1.12-8000- 23542300x800000000000000059865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:27.735{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=872CDF2FAF0E53126D1D6DAFEFC3C505,SHA256=DDF5B1E2B00192CE5E8B2FE2F3F7B04E899E896C740A4A094A4F97D3A40A2DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035357Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:27.785{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69D1EB21F166F28512CAF6AABC3C66CF,SHA256=3D03D77A517A106E592E4261C464A1685C59C20A6DD8E390EE1B2CE75FE8E460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035356Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:27.660{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=096B2B0D014BB9E7A6FCA246A4C15932,SHA256=DE38B6023EF3CD70CD8E5A49314C7424E2761B989FED1B7FBC8DD20A5536FC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035358Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:28.801{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2F3929A2669B85BB411DF8C30187811,SHA256=9EE04FAE4A4CC7291AA4C27CA63021A024CC2322156977D4284B1729FD4A857B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.756{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat2022-01-20 13:59:34.026 23542300x800000000000000059871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.756{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.batMD5=FA90BBD62DCBFE40839E2C8D06AF2F20,SHA256=B89E8B12CA28858CEE48E1A632A0B0571763E81B9017B59D64B8E7CE49F7F334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.756{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat.bakMD5=1E5D3161A53FE1E9E454CA93A2F8F853,SHA256=D6F51FC8B71CC69DBCAC8F092A97D05B3C9A19711723EC599F38D0E4CE26D4EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.754{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E39A22D5A180D2B46CED8642F5058DDF,SHA256=46AE0A70567A32FAE2B2C7866256A2125DE545B08B5099F6003936590A6BFB1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.120{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.120{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.120{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035359Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:29.848{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33ACD9B7DE7B8DCE1E9D95121431440C,SHA256=527BE7ECFAF5BE61B7FA39FBDA6205CE7727BD01421BB3EEB188676DA18CEE81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:29.772{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4C460A3BF7445E902D5180BC53EA07,SHA256=836EC7B010EEE0DE1420E715FCB9C3688233ECB6F8A8E13A5A88D56F05A67F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:30.788{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34558B30E3942E7772EAA830A2CF1520,SHA256=35B82598389975A933101F7CF234B904BDC653BCE8F2355DBBF6E36F7FD80FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035363Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:30.863{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF00AF575A6E9386D07110FA8633A5C3,SHA256=8F57D6077CBD22AD180DACC264716E3E295CAF790E9F57B7C1641942445F5314,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035362Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:30.082{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1300-000000002202}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035361Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:30.082{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1300-000000002202}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035360Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:30.082{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1300-000000002202}832C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:31.789{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CFDCB1ACA142476F7F57D1B856FE97,SHA256=ACE773CFE72D3B22EBFAC2841A8F9701C777FE59F4772A90BACAFA0716177285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035365Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:31.895{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D252C7E1CA197054E79E9B5744E0352,SHA256=2CD1E31D7D978176EA8A60F3A0ED0422B4D7F54664511375CF6317932469C714,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:28.786{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035364Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:29.184{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50984-false10.0.1.12-8000- 23542300x800000000000000035366Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:32.910{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF73C50765BEB02998464E136FC9350A,SHA256=D8C2C0F7F3E7766655BE8000698B86E9AA553773DE5E83473DD3CD5B5CCAEDCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:32.804{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B580D1EF23A073631DC7831B3D35FC2,SHA256=C2A4D3CD60D607544649F004B53B15F83B56F341B5E926E1B881E6740882B6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035367Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:33.941{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AE80C49F00FA1E01C814806E245ED9,SHA256=1E6BF14CCC8180E08B3B2D47C6D25F2F22B422EE9617DF9E16B4106E423CF9DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.820{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB91AAD2F7EFCB9EB415D3EC5E4B64B0,SHA256=69B550AC184ABF44F61600864AD6EB3CC93068666521BAF4CCB55B50BFC8692A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.773{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.773{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.773{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.135{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7C77A69EE624332CEB3298AD1217EEEC,SHA256=8CC379262A99732EB1B63CFB455DF256576516283048266DFF19783EF6ECDA18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035368Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:34.957{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B27297ABC3273C0EE5612AF2290C3BF,SHA256=71D650ED407C62BB0FB11E19D108BB24B0B76EB823533F0716F3700ED93E07AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:34.857{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A0168F3EBC3C4DD5EBB27295625773C,SHA256=853BA8383666864D3EA022E40587E11C7DA6BFAACDAB9DEB136286B992E8778C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:34.272{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\simulate.bat@2022-01-20_140133MD5=6450B8DAECA04FAAEF5341E88729719B,SHA256=E14FA26FAEC17D6812B9BCDB7928FCE6E8904575CB25A36961CC795AF0F1EA20,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:34.256{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat2022-01-20 13:59:34.026 23542300x800000000000000059884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:34.256{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.batMD5=050C8BDBA64B471710ECE4D322CB51FA,SHA256=55CD40F8B9FF8618B96E8E3373348B4EA2D686086D30BBED7CD0EAEB717CC9C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:34.256{67EB100B-5833-61E9-A001-000000002202}6952ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\simulate.bat.bakMD5=FA90BBD62DCBFE40839E2C8D06AF2F20,SHA256=B89E8B12CA28858CEE48E1A632A0B0571763E81B9017B59D64B8E7CE49F7F334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:35.888{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BFF36AD171FC97A224891CDF34FFDE,SHA256=33EC9F2C7E458146DE37D43F8757F68F3A6BD0F3366DDCE70BE2B22F3C06FB15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035369Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:35.973{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FD62177A26F71E5E96053108A6A351,SHA256=FF2872055C58C4424B2E2E8ECBE274D853057CD60FE6D68C87DE21687144CF99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:36.905{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEE61464AD842C13AF1708E26CED795,SHA256=E459983B7753C2F4B9081AA2FAAE8616C4447BC0220F70D6BCF9549EBB0C3189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035370Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:36.988{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047320CCEB174FF6F0051C6A1AB08F0F,SHA256=54D61DCE7252134F69FD11DE1E08E4475729E3016734668FC525800DC69D355E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:33.870{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.921{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B52101501331EAD7C819DDCB6E4DBD66,SHA256=83687A80BEEB6C17D2B88A5980D6F206C2FDA39121A42AA4E1D708D3632F72F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45242224C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:37.537{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035371Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:35.137{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50985-false10.0.1.12-8000- 23542300x800000000000000059899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:38.936{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B04CA7E3D83F9ADE650B538906CD397,SHA256=FCA97ED2E981491C0FC98FB59FF49DBDAD968AC906BBB22B3BD91849C8CB6CED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035372Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:38.004{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0954825515536113F53000268A88AD5F,SHA256=47217B1D4D86849A227E102F2BB19E679DED4D4D620B261F0E9BE0D3AF77C46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035373Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:39.004{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96B3DE016E34BD09E9575EF9AC329D17,SHA256=FF05DA3017D69B6047EB11BBCC90F8676E239B70ABA9B5C53C7652AD62A53059,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.787{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.787{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.787{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.786{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.780{67EB100B-5232-61E9-1600-000000002202}12884260C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-F103-000000002202}6492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.780{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-F103-000000002202}6492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.774{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000060072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.774{67EB100B-6B16-61E9-E503-000000002202}22805404C:\Windows\system32\cmd.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000060071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.774{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe1.22Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /RunC:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=17FC12902F4769AF3A9271EB4E2DACCE,SHA256=29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B,IMPHASH=563F92D1CB750F339006B11E53047050{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 10341000x800000000000000060070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.773{67EB100B-6B43-61E9-F103-000000002202}64926484C:\Windows\system32\conhost.exe{67EB100B-6B43-61E9-F003-000000002202}6828C:\Windows\System32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.769{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.769{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.769{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.769{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.756{67EB100B-5286-61E9-7A00-000000002202}12646132C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-F103-000000002202}6492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000060064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.751{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-F003-000000002202}6828C:\Windows\System32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x800000000000000060063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.750{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe 10341000x800000000000000060062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.745{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-F003-000000002202}6828C:\Windows\System32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000060061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.744{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-F003-000000002202}6828C:\Windows\System32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000060060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.742{67EB100B-6B43-61E9-F003-000000002202}6828C:\Windows\System32\sc.exe10.0.14393.0 (rs1_release.160715-1616)Service Control Manager Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsc.exe"C:\Windows\System32\sc.exe" stop WinDefendC:\Windows\System32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e72SystemMD5=BD31EB150F6547D18329E5F00801D1CD,SHA256=8A775B86CE1A057E290CCD26C59C96070684468A3119790743A346CD54F4DFDF,IMPHASH=A68324ADB4F5664AF8A79E04062F4A92{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run 10341000x800000000000000060059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.739{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.738{67EB100B-5232-61E9-1600-000000002202}12884392C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.636{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.636{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e62|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e2c|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2C02-000000002202}6716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2B02-000000002202}4160C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2A02-000000002202}1340C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9401-000000002202}7120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9301-000000002202}3376C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-57F8-61E9-9001-000000002202}6464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-56DA-61E9-6601-000000002202}6908C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5653-61E9-5001-000000002202}5708C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5645-61E9-4301-000000002202}2144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4201-000000002202}5928C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4101-000000002202}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-52BE-61E9-9F00-000000002202}5040C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5296-61E9-9500-000000002202}512C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8300-000000002202}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5288-61E9-8000-000000002202}2764C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5287-61E9-7D00-000000002202}3120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7B00-000000002202}2112C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7A00-000000002202}1264C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5255-61E9-7300-000000002202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-4300-000000002202}3540C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-3F00-000000002202}3480C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3800-000000002202}3292C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3100-000000002202}3104C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2D00-000000002202}2540C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2C00-000000002202}788C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2B00-000000002202}3068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2700-000000002202}2876C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2500-000000002202}2840C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2200-000000002202}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-523C-61E9-2000-000000002202}2600C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5233-61E9-1F00-000000002202}2132C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1700-000000002202}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1300-000000002202}1036C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1200-000000002202}804C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1100-000000002202}636C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0E00-000000002202}104C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0C00-000000002202}864C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0800-000000002202}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0700-000000002202}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0500-000000002202}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0200-000000002202}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.621{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0100-000000002202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e62|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e2c|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2C02-000000002202}6716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2B02-000000002202}4160C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2A02-000000002202}1340C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9401-000000002202}7120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9301-000000002202}3376C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-57F8-61E9-9001-000000002202}6464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-56DA-61E9-6601-000000002202}6908C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5653-61E9-5001-000000002202}5708C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5645-61E9-4301-000000002202}2144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4201-000000002202}5928C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.605{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4101-000000002202}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-52BE-61E9-9F00-000000002202}5040C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5296-61E9-9500-000000002202}512C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8300-000000002202}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5288-61E9-8000-000000002202}2764C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5287-61E9-7D00-000000002202}3120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7B00-000000002202}2112C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7A00-000000002202}1264C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5255-61E9-7300-000000002202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-4300-000000002202}3540C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-3F00-000000002202}3480C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3800-000000002202}3292C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3100-000000002202}3104C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2D00-000000002202}2540C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2C00-000000002202}788C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2B00-000000002202}3068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2700-000000002202}2876C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2500-000000002202}2840C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.592{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2200-000000002202}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-523C-61E9-2000-000000002202}2600C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5233-61E9-1F00-000000002202}2132C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1700-000000002202}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1300-000000002202}1036C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1200-000000002202}804C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1100-000000002202}636C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.574{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0E00-000000002202}104C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0C00-000000002202}864C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0800-000000002202}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0700-000000002202}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0500-000000002202}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0200-000000002202}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.558{67EB100B-6B43-61E9-EE03-000000002202}60847052C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0100-000000002202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000059919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.536{67EB100B-5230-61E9-0A00-000000002202}640308C:\Windows\system32\services.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5230-61E9-0A00-000000002202}6406244C:\Windows\system32\services.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.496{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000059911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.489{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-5286-61E9-7A00-000000002202}12646132C:\Windows\system32\csrss.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.358{67EB100B-6B16-61E9-E503-000000002202}22805404C:\Windows\system32\cmd.exe{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.362{67EB100B-6B43-61E9-EE03-000000002202}6084C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe1.22Run a program with different settings that you choose.AdvancedRunNirSoftAdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /RunC:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=17FC12902F4769AF3A9271EB4E2DACCE,SHA256=29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B,IMPHASH=563F92D1CB750F339006B11E53047050{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Temp" 23542300x800000000000000060304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fi-FI\mpuxagent.dll.muiMD5=2951324A4D9633A4A8920464A73DA9CE,SHA256=97EF042D4E86CC9E9808A75D2E139163FBDE643AF128C4F7EF0E9623AAFFEBF3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fi-FI\MpEvMsg.dll.muiMD5=7072A9CB63B9CB656A956520202F7CF9,SHA256=09BE50B13ECC453C1ECC58DD010E571203F21C54A07D0378E9F38E21C71F3596,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fi-FI\MpAsDesc.dll.muiMD5=F2D957706D1265AA7B251713A3220A20,SHA256=77D9FD696576B30926E34F7695151F88211223C8554614F77EB0F9D7E7F440B8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fa-IR\mpuxagent.dll.muiMD5=2B63BA7C3221EF6A93F9C2619E2C8A84,SHA256=DE20279D35B8D326D76479B3FF7DBE7A61173FAF3D449058070542D9D58CB6A2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\eu-ES\mpuxagent.dll.muiMD5=5B10AF1242CA7F648B490741F2DF8520,SHA256=AA5C7A32CE883F00D45F4AEAE72DFE705AE507181CC2CE689BF2426740EF2B83,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\et-EE\mpuxagent.dll.muiMD5=FB98D0BE2991E0FE20A069D56CD23B42,SHA256=ACC123176D10917CDF790A10081628D31E7AACEC9C8ECDC97A44E3A6E3C25080,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\et-EE\MpAsDesc.dll.muiMD5=97EDA100F26EAF8E95056AE742554177,SHA256=A326D66D07ED074A9494E53193584BB675C29CA70198A14C9ADBA3CE8CBC3BBB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-MX\mpuxagent.dll.muiMD5=D69771B02DB93D6F6E8A343978F499A7,SHA256=9FCBDA0A30314F5A45CB005475AC90FFDC60585EF7816CBE691544F1E2299BA1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-MX\MpAsDesc.dll.muiMD5=D1CBA62B76E5E851B8922EABFF2DEF6D,SHA256=1F9767C1C1EFE0C4D19D0F22C8FA6ADB60E4E88013CF8112D0BC60608EDDEE5C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.962{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-ES\ProtectionManagement.dll.muiMD5=1933FC68D4038B5431F7CB7AE468F393,SHA256=961DF898ABCAC1F2911002445BFC624327BC153874D5E3E7556E467B360A55E2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.962{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-ES\mpuxagent.dll.muiMD5=2FDE66202B0916607183D62E68CFB1B5,SHA256=AF712FBC07C22C3950C81F0F207EC5CB078591E16857DE6373ACDE71B814305E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.962{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-ES\MpEvMsg.dll.muiMD5=1CEB1C751D2CF63A0856B30A74486565,SHA256=4421F31079246BD5A8B2C76B305BD88251DE81DAA0DBFDC393ACE55198B58F34,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\es-ES\MpAsDesc.dll.muiMD5=B6A28B3D905B28545AC4EC448846C6F4,SHA256=89404202E75E8D03AF2458906D9622C7ECD43F4B30180B079B143B77EA6BA6A4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-US\ProtectionManagement.dll.muiMD5=57DD5DCD626332FA892BF1526D09C1D9,SHA256=385171BD15127FB8546EF4378CBEA2BF25F5063E6E731DFEB4EF868829FB25B9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-US\mpuxagent.dll.muiMD5=FEA5726C8962F98A3601E47EADB5A3E9,SHA256=FC18C509866893EB03BC82F49C0EF07C344640CF8D6FA3963247ABB7521A4A56,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-US\MpEvMsg.dll.muiMD5=0D87F3932078B4049523B8CDD3EE5692,SHA256=46022C8F7CC601BF73D231C213612BFAED0E95A76BC510DA08B7323EC1CCB2EE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-US\MpAsDesc.dll.muiMD5=BC78A3B5260E268C292724EA573194F9,SHA256=2C4B8F48370B6ADEA49A21F2D89F2400E54C3EE937120152B50A94FFE5F5F7A9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.946{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-GB\mpuxagent.dll.muiMD5=DD65190763621E8E1B642A4305D5E801,SHA256=8CBEC55311F2B7234D1FBD9C46AB6CF33A165610960132FE73C19FF725579658,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\en-GB\MpAsDesc.dll.muiMD5=8DE66C308CA2A9340CC9E84F753FAA56,SHA256=AE6A41CA40A926287BCC94503AC9AD42568D6BB62B4CF2DF60F0599FA9E988FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\el-GR\mpuxagent.dll.muiMD5=222D67D112493530069E47CD64364BAF,SHA256=B6E4B5BF805802069890DF5FD769D48F370620E607809E48E233C78EFE6F90F1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\el-GR\MpEvMsg.dll.muiMD5=9B6F194F0D0EB1ED21B000E07B0CBDCD,SHA256=E1A7E2391FFF39162293DD3AE201ADC393D8CC91E83A4B33C2C9A089EE69D203,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\el-GR\MpAsDesc.dll.muiMD5=53B61803FB8BDC469ED5D04FB8983233,SHA256=BE1609A94963D07A591C7D38947B28AE79A9D070385E70BD594A1DBD6DF7EB31,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Drivers\WdNisDrv.sysMD5=9C4361259D5F0D7A36A10BD28D000F90,SHA256=7445476DE9BAB0D9C975DBDF63BD928D7E3139DF3FC69463BF08897E3B087575,IMPHASH=B2232D76DB16949062B092AC66B306E5truetrue 23542300x800000000000000060281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.915{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Drivers\WdFilter.sysMD5=B6C6FFC05B52D2F8A433DD12C3A11D30,SHA256=666259E830F5EAC0707B2D957944B7468FA645271C60B8EA54E5130B8336D1F6,IMPHASH=D148E8A715DE2CD7B90529132F014544truetrue 23542300x800000000000000060280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.912{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Drivers\WdDevFlt.sysMD5=26B890C2237E48DAF8B9B901EBE7A0C1,SHA256=B1D793E12DBF2CE5197960454F0A5AE6C93703FA5BF2D7622EC0FDFBAC183211,IMPHASH=61C274FC875F096B5217A7AC611C5557truetrue 23542300x800000000000000060279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Drivers\WdBoot.sysMD5=1BF7CF2DBA97C71FF1876F0DE67421C3,SHA256=B946398AB34EF5BF16DC3461D32261664760C0F86E8A281BCD90361A170E27FD,IMPHASH=4B7A0029980F4F757F052F90FE2D4610truetrue 23542300x800000000000000060278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\de-DE\ProtectionManagement.dll.muiMD5=381A9FC19B05718037AA3A552715C54F,SHA256=EA4DDE3088A05BA4A894FB81A8ABF0769DB0A8F79F9D1E5E96BEB916610710C4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\de-DE\mpuxagent.dll.muiMD5=16C6FFA34E0C59EE77F916EBF9148AFC,SHA256=6EE8E608A103E991460B51D87AEFCA126EC8744642559B536F70330A848CFB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\de-DE\MpEvMsg.dll.muiMD5=7AF483C2AFFDD95213DDDC495D001DC0,SHA256=155EC9FBBE052BCCF189B89EF0F802DA48547D107A26A9E342BF9A23B4F1ADFF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\de-DE\MpAsDesc.dll.muiMD5=FF00B121B166AB8E4857EABE4AAB9BCC,SHA256=9285FDDC5E40919E750A95C255588332876547495F6E245BAD983D612DAA4704,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\da-DK\mpuxagent.dll.muiMD5=C63C9C4C55D3B4172BADC2FB45014D5D,SHA256=88346BDE6D5FC1C0CADFA5755944F466F8960C9CC17A5339851A2BAD42376C70,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\da-DK\MpEvMsg.dll.muiMD5=849192FB21F761073C9ED4A3F5BD4688,SHA256=1EAC8A8C05B8AAFB4505A7828D7E7F98567BD0C71DEE4E08AF467F31D34A9828,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\da-DK\MpAsDesc.dll.muiMD5=BB1447340673FA9F6B96A9987290F278,SHA256=A166D52AA0AB379DE33CF5796A5B1861246A36BB8B17D8C87E0F0529338C0AC3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\cy-GB\mpuxagent.dll.muiMD5=CF1FB8FA2725C2DC530AE045F1ED8A6B,SHA256=EEB5D85389F768042AFEB2B1203BCC151069F53DAFED28DB404122013041241F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\cs-CZ\mpuxagent.dll.muiMD5=FFE6628B2AD343CDA7FDFEF38B84B48C,SHA256=B5E81F2E96B81367B16D77BDB21FF45C92B880DF501AD17FEE4F8B1E756C636D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\cs-CZ\MpEvMsg.dll.muiMD5=C40C173214A061E8BCDF28F6328CAD40,SHA256=17B281694628800A6B1541826B912F8FF0788D171A900F6DF4BA8A6AC01B3A46,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.862{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\cs-CZ\MpAsDesc.dll.muiMD5=71EA670E1886321DDDDF005D7B47A7FD,SHA256=BC031DC51AE7128AEE1ADCCDA0F7ACC9EB3BBE8DE121B206B0E9801E956F82B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.862{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ca-ES-valencia\mpuxagent.dll.muiMD5=C9E9AE82C7782DC0E66BFE5EFEFF336C,SHA256=CA202FDD69FB81DBF24708D144E942FC10ACCFA4703BE979AAD55FD88B62E7F6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.862{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ca-ES\mpuxagent.dll.muiMD5=0EC7F6A6BDC86183AA58893F948989A2,SHA256=02FC3320529F9A51D88030CE7C03AC3A62517B8141768FE001B995DCFBB202F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.862{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ca-ES\MpAsDesc.dll.muiMD5=D2A485200AE94654A45301149D87A8A1,SHA256=9164442B33BAA1DAAF4609189D8169CA9DFA67BB673683F66A49ED9145DA7585,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\bs-Latn-BA\mpuxagent.dll.muiMD5=6C4B5C9E187A6B13C39FAA41C742EDD6,SHA256=9C776358CD7A47CCBA26F992472A0A739C6F0C152B89B5AEDDCACA8AC43684F0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\bn-IN\mpuxagent.dll.muiMD5=231D5D0EC76C7498E5A94E120943699F,SHA256=1807A40E971F9A586671F144CFB34404D2AFAA027EC9E670E323BA70577FC9E4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\bg-BG\mpuxagent.dll.muiMD5=6275E196D18A7E2E298B30AF3ED5C880,SHA256=06B162090901AC0604283E1CE2EC1928E0A7C651332C3E7BE593E438DB02AC88,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\bg-BG\MpAsDesc.dll.muiMD5=DDFB72494C7DAB2C2DCBBF58F1384BB8,SHA256=7E28FA6FC9DD05652F3DDCC4B9BC54469DD44995EC69EF149B9477B4C0CE53D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\az-Latn-AZ\mpuxagent.dll.muiMD5=06A297C9B8293DA4AC3B56D304874F2A,SHA256=C5D1763D4F042FE777BB02E47E26F76EC9008AF689679BDA6480E1541A1158BF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.846{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\as-IN\mpuxagent.dll.muiMD5=D359F26A958650D3B5A28495DC39D409,SHA256=F2A33F57BED6013E9850AB150C83577862DE7FADA3CAA1C87C94100F486D92A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ar-SA\mpuxagent.dll.muiMD5=53F858DC25ADF3684E7E025277A57023,SHA256=D57524C7B0D7FE779DC3803F041C341F818381E19703D32BAA988F1697D1175C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ar-SA\MpAsDesc.dll.muiMD5=628870D988EFBFC39C06E7BA62495FFE,SHA256=161D58719676884DB3BDFEA9A5770A55EC7BEBE839D97B6ECA3D20EC5A3D6B2D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\am-ET\mpuxagent.dll.muiMD5=F5F731716CA6C6CEFF57DEE03EB33376,SHA256=A2E33041860906CEF0BCE5B2F3FD2AF88E3DB61E97FF9EB16D650CAD1F69F708,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\af-ZA\mpuxagent.dll.muiMD5=2A54A6EFE0D70D2F8120E4F9AE10F2AE,SHA256=F90B4913826DA577A68006FC7211E2390534BE9639934AFC5A375436373B1C71,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txtMD5=F49BC2F27AC3DEB9807126CD604B494E,SHA256=349E4C7475FB5E7F590E7B622543F0498E185EA4A8749183B3830A6BF643C46E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.747{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.747{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000060251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.734{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-103MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.712{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.712{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000060248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 14:01:40.677{67EB100B-6B44-61E9-F303-000000002202}5148\PSHost.132871609003769689.5148.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000060247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.661{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_wa2v4mor.adv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.661{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0837FFC137134DE8CAC0C47E54517BA0,SHA256=A1EACC8D7D9E32FF16F8DD2D260AAF741BD2F56DCF29D82655122DE21C71AA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.661{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_n1ycc5ux.o3s.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.646{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6A4ECFD6886673FE1172B2C414EED6F1,SHA256=700EB9E3D095842BE1CB41A61545EC7EFBDB5C361C58F8F380611B5E62DF78E6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000060243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.614{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_n1ycc5ux.o3s.ps12022-01-20 14:01:40.614 10341000x800000000000000060242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.609{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.592{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.577{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.492{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F403-000000002202}5564C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.492{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F403-000000002202}5564C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000060237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.477{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB2D73AEE5866ECC503CB3AE1BE2A40,SHA256=D42B8B5638ABE0EB3B5B8406A09171655E21D0B7D4909EB01561E79DDA772EDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.477{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69F2653222AE27E9B5C7C0113FA88C0,SHA256=FDFD9A5AA0641BABBE4371ADD183F1DA4F4F9FAE9E6920974EAC3734F9D82D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.477{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=490C05A2798490D3CDA1AC2F4F24920B,SHA256=60430A80FBC3FF820B3194A4AE069FDDA5166632CD1A7000DD96E04FF6D4C67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.461{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=FBE3AA1806C25FA6D5481A1B1D825FA6,SHA256=AE9DEBC8DD228F9953AD025CD9E2F59083FB74D5D4FAAED3D29D3CB271331438,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.461{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84F06358F1C7F5D0CDF2A3CDB81F754,SHA256=93219EB60D718AFBF469BEFA6A2E69952B95961B9D96196BB51575FFCCBEED2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.461{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91F1546ABC7180A15338C8AF7AF1C92,SHA256=EBAAC13D9E9ACFA945660CED96A9FD12EECD0EAFFFF320AD5B2047BAA9F6BFA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000060231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.446{67EB100B-6B44-61E9-F403-000000002202}55645796C:\Windows\system32\conhost.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.409{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.409{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.409{67EB100B-5286-61E9-7A00-000000002202}12642436C:\Windows\system32\csrss.exe{67EB100B-6B44-61E9-F403-000000002202}5564C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000060227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.409{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.409{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.376{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x800000000000000060224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.376{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe 10341000x800000000000000060223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.376{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000060222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.376{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035387Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B44-61E9-6303-000000002202}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035386Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035385Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035384Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035383Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035382Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035381Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035380Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035379Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035378Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035377Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B44-61E9-6303-000000002202}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035376Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.535{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B44-61E9-6303-000000002202}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035375Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.536{8EF30467-6B44-61E9-6303-000000002202}1088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035374Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.019{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AE69317FAB954A4D2FC098000B824FA,SHA256=DCDE0B105ADAD9805418858E24FEAEA01858CD587B984E5F77536732041966FC,IMPHASH=00000000000000000000000000000000falsetrue 154100x800000000000000060221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.376{67EB100B-6B44-61E9-F303-000000002202}5148C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -RecurseC:\Windows\System32\WindowsPowerShell\v1.0\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run 10341000x800000000000000060220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e62|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e2c|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2C02-000000002202}6716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2B02-000000002202}4160C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2A02-000000002202}1340C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9401-000000002202}7120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9301-000000002202}3376C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-57F8-61E9-9001-000000002202}6464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-56DA-61E9-6601-000000002202}6908C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5653-61E9-5001-000000002202}5708C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5645-61E9-4301-000000002202}2144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4201-000000002202}5928C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4101-000000002202}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-52BE-61E9-9F00-000000002202}5040C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5296-61E9-9500-000000002202}512C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8300-000000002202}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5288-61E9-8000-000000002202}2764C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5287-61E9-7D00-000000002202}3120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7B00-000000002202}2112C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7A00-000000002202}1264C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5255-61E9-7300-000000002202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-4300-000000002202}3540C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-3F00-000000002202}3480C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3800-000000002202}3292C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3100-000000002202}3104C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2D00-000000002202}2540C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2C00-000000002202}788C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2B00-000000002202}3068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2700-000000002202}2876C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2500-000000002202}2840C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2200-000000002202}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-523C-61E9-2000-000000002202}2600C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5233-61E9-1F00-000000002202}2132C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1700-000000002202}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1300-000000002202}1036C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1200-000000002202}804C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1100-000000002202}636C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0E00-000000002202}104C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0C00-000000002202}864C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0800-000000002202}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0700-000000002202}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0500-000000002202}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0200-000000002202}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.361{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0100-000000002202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000060150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e62|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e2c|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B43-61E9-EF03-000000002202}6584C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E603-000000002202}5472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-6B16-61E9-E503-000000002202}2280C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2C02-000000002202}6716C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2B02-000000002202}4160C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5CB1-61E9-2A02-000000002202}1340C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.345{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5833-61E9-A001-000000002202}6952C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9401-000000002202}7120C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5817-61E9-9301-000000002202}3376C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-57F8-61E9-9001-000000002202}6464C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-56DA-61E9-6601-000000002202}6908C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5653-61E9-5001-000000002202}5708C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5645-61E9-4301-000000002202}2144C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4201-000000002202}5928C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5644-61E9-4101-000000002202}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-52BE-61E9-9F00-000000002202}5040C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5296-61E9-9500-000000002202}512C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5289-61E9-8300-000000002202}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5288-61E9-8000-000000002202}2764C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5287-61E9-7D00-000000002202}3120C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7B00-000000002202}2112C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5286-61E9-7A00-000000002202}1264C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5255-61E9-7300-000000002202}3264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-4300-000000002202}3540C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5246-61E9-3F00-000000002202}3480C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3800-000000002202}3292C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5245-61E9-3100-000000002202}3104C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2D00-000000002202}2540C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2C00-000000002202}788C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2B00-000000002202}3068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2800-000000002202}2888C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2700-000000002202}2876C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2500-000000002202}2840C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5243-61E9-2200-000000002202}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-523C-61E9-2000-000000002202}2600C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5233-61E9-1F00-000000002202}2132C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1700-000000002202}1404C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1600-000000002202}1288C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1400-000000002202}1064C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1300-000000002202}1036C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1200-000000002202}804C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1100-000000002202}636C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-1000-000000002202}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0F00-000000002202}364C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0E00-000000002202}104C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.330{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0D00-000000002202}920C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5232-61E9-0C00-000000002202}864C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0A00-000000002202}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0900-000000002202}584C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0800-000000002202}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0700-000000002202}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-5230-61E9-0500-000000002202}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0200-000000002202}324C:\Windows\System32\smss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-6B43-61E9-F203-000000002202}68806548C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe{67EB100B-522E-61E9-0100-000000002202}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+96a7|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1fae|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+218d|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000060083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.314{67EB100B-5230-61E9-0B00-000000002202}6484172C:\Windows\system32\lsass.exe{67EB100B-6B43-61E9-F203-000000002202}6880C:\Users\Administrator\AppData\Local\Temp\AdvancedRun.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000060082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.237{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78303ADB905B5CB5FC3DCE741C0D5AE5,SHA256=7703E824EEC51E0B2E381BEF6EE9896D9A795C5AA715A3A0D9692CA5CA1A2F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.119{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894D027F39FB6A3BD42E984986792376,SHA256=FCBDF098016A46B79BFAA0993390F4F5752BEB83C26E71B4C49D42E5CB614946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.102{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DC89C60AEFC8AE067458556C3E841C,SHA256=623EEB2D83573A7DBA4F9EC53BD075F6F0D642D80C054E988D619FB9C718F162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpCopyAccelerator.exeMD5=B613F7C352DB0471338A01FA7CF94521,SHA256=71ABD7C64E51AF9A750A31BAC218F9E6781C913869D97AA4024C2456E101CB20,IMPHASH=775658B4F88AC7DE8C3C8D449492BD1Ctruetrue 23542300x800000000000000060460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpCommu.dllMD5=98DE76E6BD6919C81785F34F3E4E4025,SHA256=A5D1C85E15E4454D0CF4E613107F688B540A046659F1DDECA859B395335BD50D,IMPHASH=35E8A857FF827D9A41B3350558B1A472truetrue 23542300x800000000000000060459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpCmdRun.exeMD5=D50CBCB0B8B3282CD169E0032361D418,SHA256=F7B6EB6E4D8E04C7243AB0AB73CEC6E20E980F07E03267ED4B0CA69CF9CDAB3D,IMPHASH=64204466147057F73085F9FF5ED1840Atruetrue 23542300x800000000000000060458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.930{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpClient.dllMD5=FD7D2158F21085FF8E8C46829839708E,SHA256=DE50D8BB61B7F0BB423E4A50A6775192C4809F63C18BE9426C4AC2E127BB9DA9,IMPHASH=0D1EE75448E1ED838607628FA1A8D94Etruetrue 23542300x800000000000000060457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpAzSubmit.dllMD5=C10F256B7606EE5B1BED880020F68912,SHA256=C649EC99F87F684D22157755E5F8E0AF7C1EFD54853493965A673A3F0FFB4AC6,IMPHASH=300ED5E63E8A71D34B395F9FB0DBF683truetrue 23542300x800000000000000060456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.760{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpAsDesc.dllMD5=A27F0ABF90F3B468C6F15CDAFBBC3312,SHA256=503DF4EF842D6621139D4A15D68955E4926C0C6B5CCCEF60323290A6FC08343F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.747{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-104MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Windows-Windows Defender.manMD5=36F8A68EECFB5B89C4C571F6A63E3ECA,SHA256=4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Antimalware-Service.manMD5=B003B1DFFD9221745ED31E2979B28574,SHA256=5AE7493F638252D49F18B084D7CEA4E88D3AF6B1170C8C16EABF5C6AE849E3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Antimalware-RTP.manMD5=35AC30A8637BC0EB2F7902B8C69BF904,SHA256=FE761134076253DC11CF8C154CA43E762C61C28D0A817E76351FFEF32CCF59C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Antimalware-Protection.manMD5=E4AD891E7B62475FCA109C0DF4DEF16E,SHA256=DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Antimalware-NIS.manMD5=5562965C32F03AE0DF8B9DEF950F8651,SHA256=EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.713{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Microsoft-Antimalware-AMFilter.manMD5=B6D65A86FC1999A62DA10EA3C4CAD3E4,SHA256=05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.711{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\endpointdlp.dllMD5=BBDFA9DA2F8E10903C095F504A2188B1,SHA256=4B3DE446F41D0410C06E9FAFF8823D380BCBDADB5B381C702CE3A5E2535A7142,IMPHASH=4E716FB51FA8B3F8D25BBE321A933985truetrue 23542300x800000000000000060447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ConfigSecurityPolicy.exeMD5=065E4E5BE96865266D1FC4449274CE20,SHA256=98E3951BA9FACFB2B878D98D237D63C675878A09D9B6E18640C96746B6665041,IMPHASH=C1B5D6B4F7C8A5BCC84810A010E14536truetrue 23542300x800000000000000060446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.613{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8C35012B04552F6E2ABDE12711EA628A,SHA256=5B7C7AD3FA4F636C284C87AA2E8FB947CD3E74139080C966D72FECE748712D6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.611{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A7568193E89C7FE6E22FC3516B38F13,SHA256=E06F85A4761768CDDA0C8F73C675B40EF7EA31712880993A4C2AC403DC3D4ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\com.microsoft.defender.be.chrome.jsonMD5=60A2FC65D3CC1D3DE9ECD2C5319738FC,SHA256=6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-TW\ProtectionManagement.dll.muiMD5=5EEAFAC8017831BED41402B0CFB7CD1A,SHA256=AC5968C53994D55E2FBC20A5BA9DF19F9A6B7F3619E56E859BC9A85E7ED3CEDF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-TW\mpuxagent.dll.muiMD5=9FD7C75F65C5AB7CD0379337ACE6777D,SHA256=4D4D6B443BF0C29D97517763702B24229E0656312D1B3810104B60B3CE4A026C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-TW\MpEvMsg.dll.muiMD5=3B15F377EF6F4A43466F4D8CA2ADAC8A,SHA256=322B9C5DE528180BDBF2F8E0BDEAA724779BFEB4A1A84F30875FFB2CD4BB7F5E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-TW\MpAsDesc.dll.muiMD5=72632B8E416A153787D2D010D6C374E0,SHA256=CE2B21F5F25E574ED7B5FC7C381B82A46274C69A803393183E03773404B9C384,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-CN\ProtectionManagement.dll.muiMD5=E648AA637FDBB85D8E5513FC36367941,SHA256=0E827FA44D0228A1819611BB935FEE4B49B77F225D1A0AB1106052271489B7BF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-CN\mpuxagent.dll.muiMD5=ECA0F1F0613ADC6AB3AD41A4231644DA,SHA256=C32E60C50963BA642B2B147A4ADB208338DDA9AB6A5F7220C8845950D72F7BAB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.561{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-CN\MpEvMsg.dll.muiMD5=5FD7A02D2B6C5EE2ED14E07A4A6F36BD,SHA256=7EB646897BD9FF85CD859A48BFF19D994AA44137AD6B06E90AD2C7F0F2A65C9D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.561{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\zh-CN\MpAsDesc.dll.muiMD5=6B9084CA751B5AE068F5162096D2A1CF,SHA256=A6D1822E0600E72B0BF263A93084EA5641472E0EE4ED0CBFC2F51C5371927905,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.561{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MsMpLics.dllMD5=30AC9560D381D704B9F7ADDAF0F82A94,SHA256=E1FA909C9A6BFE68C219734F54A1605A0920E6E0914D780DF59F7855BE6A0F5C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.561{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpOAV.dllMD5=F963795F0C4B10F6A06D44A89025A235,SHA256=C0C9B303A85E085CAF876CD46EB30152F4D5557F404B2F896728802C4A427E4C,IMPHASH=B153971B18B753F5A5050CE54B02C2E0truetrue 23542300x800000000000000060433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.546{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpDetoursCopyAccelerator.dllMD5=E14F76935B760B68B34AAB00CC6A7116,SHA256=20B97E552984F597711D8A8C766A809F51657F1F59A9BA3CEE13E7CD97717FAF,IMPHASH=74478D3FF071B77E9B32D63F1F5AA17Atruetrue 23542300x800000000000000060432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.546{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpDetours.dllMD5=B8D9BDFE2B9E5CC434D08C2D58EE362A,SHA256=5EABB3CA44F9247703978939C1C1759CBF9D69BD0D53F4B9D3BEFDF476415DB8,IMPHASH=6E757FB64260833FA5C6C4D97D8045D3truetrue 23542300x800000000000000060431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.514{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpCmdRun.exeMD5=ECA84EEA3FC50DBC31A17D271B7062AF,SHA256=B0337D5C7D36278EC6707749F35341EB6EAAD8B1713125C043E298021BA07401,IMPHASH=95D49CB882332BDC4900DE33E1D18DB9truetrue 23542300x800000000000000060430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.492{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpClient.dllMD5=6080672558962E1E2AAD8CFDF838A294,SHA256=3986D2EB04BC82362722BB70C71BCBABBD0FCF567B278BA6DC3770ADDDCC45C5,IMPHASH=9F614314F6D26F33EFAA597705EF50CCtruetrue 23542300x800000000000000060429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\MpAsDesc.dllMD5=FFF62C12CDFBB5F8245F0C5E09CE6276,SHA256=55E058C5969102272EA423BFE8467325FBE0DA2627258DB99243307280778B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\endpointdlp.dllMD5=8413BF8A8B935E57D301CBCDA64E1934,SHA256=EA371C42AED818BF88AB029F439167F803ADB1C9595B7DDB8DFF16EBBA591828,IMPHASH=DF639EAACE96DA9DCDDBF265D8B56341truetrue 23542300x800000000000000060427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.414{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F69F2653222AE27E9B5C7C0113FA88C0,SHA256=FDFD9A5AA0641BABBE4371ADD183F1DA4F4F9FAE9E6920974EAC3734F9D82D1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.412{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220F29D33A08BCDFB0433F08FDC59F17,SHA256=73EB2D3F23241FB25BA897F2B75F433A12BD3BBF3DB4C7E3B99298CE6C41D634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.377{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\X86\en-US\MpAsDesc.dll.muiMD5=499D4C07DDF2D258B8CB7B37A1D892CC,SHA256=3994A0D7AFCE70F018B673C5689E192CE28545C55AFAFEE1C37743AA0F934CF8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.377{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\vi-VN\mpuxagent.dll.muiMD5=F587B7F551D3304A63BE6764965B701C,SHA256=B45C39AE05934549E09841C0391F844C1B63FBB9134B2EBC8CC9F4B426178D11,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000035417Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B45-61E9-6503-000000002202}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035416Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035415Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035414Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035413Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035412Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035411Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035410Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035409Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035408Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035407Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B45-61E9-6503-000000002202}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035406Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B45-61E9-6503-000000002202}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035405Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.723{8EF30467-6B45-61E9-6503-000000002202}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035404Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.566{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF095D9CF8CEE68A37B95B54057D98C,SHA256=EC6F0FC13D0A590F293FEB9C3C365D6A9BB1E0AEE91BA2646D7F8D04F7681675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035403Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.566{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81E188899E10C0E956CEB13D86BA184E,SHA256=05BE1660FA1730456E04509090F2AA6BA8D9729A349B1E3F345781642EAC0797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035402Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.224{8EF30467-6B45-61E9-6403-000000002202}39321804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035401Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B45-61E9-6403-000000002202}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035400Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035399Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035398Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035397Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035396Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035395Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035394Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035393Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035392Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035391Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B45-61E9-6403-000000002202}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035390Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.051{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B45-61E9-6403-000000002202}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035389Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.052{8EF30467-6B45-61E9-6403-000000002202}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035388Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:41.035{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EC47D2F2521BFE700AAFFC2957B21EB,SHA256=00A9051E62201DFB491136F5D23F84EAFEE3CBFD86BB71FD6C6D296DAA87DDEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.377{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\vi-VN\MpAsDesc.dll.muiMD5=8292B42976EA7E5B4A5143006550C0DB,SHA256=652CA8F94969FE4BAADEAE439D48274B2E0C828169B523D5CE9D9C5E1CDD6951,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ur-PK\mpuxagent.dll.muiMD5=023469B9CE9A65693DDE3DAAA3B7F41C,SHA256=BAF468BF80396223C1A0B93DC499A8B713C12E8656BA42D3D2176DC29E729237,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\uk-UA\mpuxagent.dll.muiMD5=F345D7719ED1F32D9443AB71D36BAC3E,SHA256=13AC1F29F2108EC7DB952EDBC6F51DA4D2F0CBDA46B514EFF70B2E96E06B37B9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\uk-UA\MpAsDesc.dll.muiMD5=088D2A1E50EF7AF09C5D828C322DA741,SHA256=535E01F1C8A430CDCA3A804A92D80B6319017737D4B8CB431F5C23B1EF4AFE5C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.330{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ug-CN\mpuxagent.dll.muiMD5=F9007E5EF37ED62D4574EA8F1AA41875,SHA256=7B74D3CA3A9951C039993B34BC4A04BF810A6FCA726485599E336ABEB5E2F3EB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\tt-RU\mpuxagent.dll.muiMD5=2A6AFABE73744D9F425AD9D689A536E4,SHA256=8317A8E6F50BD32F95317BE8EEA81E17E2A7663CB62186995CBBA994DDDCE0DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\tr-TR\mpuxagent.dll.muiMD5=FE8D22F1A5E40B9B74C7DB47C7C3CAFB,SHA256=45FDAD8C8F84182DA054E152C5F2CB132DB835BD9DD8816C19EFDFB070AEEB6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\tr-TR\MpEvMsg.dll.muiMD5=72793569DA2104C377C013B7FF0DC4AA,SHA256=AAA4B1E8BDA6A3CDED4D7BDDB69277EE7D5596453EE4667DF0275AAED5ABC059,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\tr-TR\MpAsDesc.dll.muiMD5=40287708A40088B80943086E910F6D2D,SHA256=80364521D699C22083CD4BABE754DD98D4897F22CBE2D658E1605A5558064BF6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.309{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\th-TH\mpuxagent.dll.muiMD5=19FBFBC2D7C95B8580A4C38A5B4DBFA5,SHA256=447674122E4A5E67132BEDBE0E9FC383B04C3A8766A77FC7106758E3847D29E0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.293{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\th-TH\MpAsDesc.dll.muiMD5=7B0C4FD9826AD7EB0E9486581E8CA50A,SHA256=466DA97CB1ACE2FDB0640D14985F7D609BD200CFAC489145EAF12180C8140579,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\te-IN\mpuxagent.dll.muiMD5=B48495672B8C2953E207915CC937FE09,SHA256=AB35CB5076BE4D422C979227A2A53F28CF0BEE720F177AB0F5BEBB7A2D94B93E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ta-IN\mpuxagent.dll.muiMD5=5643685F146F6D3FE21A20D48ADB152F,SHA256=95A564843D4545EFFC97B6E82102D4DC68959400C2B791F64D3361031AD709A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sv-SE\mpuxagent.dll.muiMD5=82C9C6174E08258BBE12FDAE6A21254D,SHA256=FD0D9CF27F78F3A14711959F2DF8CD2425DB148394A92EA5B93E46DD23B1CE37,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sv-SE\MpEvMsg.dll.muiMD5=96FB7CA817E3C5DAFFEBDFEC7D84A518,SHA256=35AE2935EC38672E29A09E85FEDF04B6698D5A0EF6DB3935825417DB01D09501,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.277{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F1C3881D70EE29502119CC77D42FD72,SHA256=A732A05BF39142FE3C4446B78B11F4AC2126AA1C227C6BC8C778AEE0CC794948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sv-SE\MpAsDesc.dll.muiMD5=F98760FC587DDD6A9F74ACC580D3EBD6,SHA256=2D61497309D01463A866DF853E2BE71EFC44EC7AE10D1D7C23EABFB39D4DF852,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sr-Latn-RS\mpuxagent.dll.muiMD5=5915C3DC6D3404A660F0ED04D9D0CA09,SHA256=3AF72E307F61020CFB0B24378EEF5D8A546E8097A547F1399252883ABFE2D552,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sr-Latn-RS\MpAsDesc.dll.muiMD5=172E4AEF12DFC1BBEB9725A42A0DA59F,SHA256=41BA0615BD5ECFDD5940C81D5D4CDD24FB2452237F164ADB7FC6FCE3AC2E0186,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sr-Cyrl-RS\mpuxagent.dll.muiMD5=DA0FB5E9E66DCB221D02970587884CBD,SHA256=16409B0BD47BC94250526CBF7EDF57F1AE6E163D7BC31E0FCB87C7E3350A5B1B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sr-Cyrl-BA\mpuxagent.dll.muiMD5=667AA5FF4EFEA149C26082BCBEC21B47,SHA256=42C9A56A116B48A5AB9D1249B0601D09EBA8D6830B870286E3C096422120C4F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sq-AL\mpuxagent.dll.muiMD5=B732F58E778DB9EDFBF0401DE3C711EC,SHA256=329D1D3BC2595E79D0FE6DA2702A29D374DCE86292EAB05AE10DF437603281F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sl-SI\mpuxagent.dll.muiMD5=3CD9903B2FE11BE4B57D6B1CE74AA1EF,SHA256=E289488BA8E975B6B3D1B6702A7AFDAE17ACFF00242C46552D1FE205C6C42E22,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B908C473D464EF0CA771D35C6EC1EBF,SHA256=F717BD787126C6F235125737E75A02553C8A202840812316C5CF5247D2887C48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sl-SI\MpAsDesc.dll.muiMD5=100089A25524739BC2285AE5DF1D5EC6,SHA256=63B78C5A175AB9022A40E361D8F0677D6DC272C62251987C3BB0100F064FD8DE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sk-SK\mpuxagent.dll.muiMD5=92664A84B358EAD0F5513B00F403B8FA,SHA256=115E15FF95B7140A5A7FAEC9D87298EE7FDBE65A35BB87497FCCB6B5BF236D6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\sk-SK\MpAsDesc.dll.muiMD5=D27C1603DDD3C0C0CBB820063A60196B,SHA256=0E89422405CB31189A3E65E2CBB2268015EEC9CF6EBDF8729A217284275B7705,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ru-RU\ProtectionManagement.dll.muiMD5=50282BBFE6AE829BC1C71771E1BC077A,SHA256=E40346B619EBFD886FD2C765C2191FAE7B553579A1EFB39E295C87B039D56B94,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ru-RU\mpuxagent.dll.muiMD5=2E018CA3A3454FF784BB17F1145B4650,SHA256=72D1DA6C2467D00608C92B86429B7A2DB372C6713B88E4F8E61E0FC528005BAF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ru-RU\MpEvMsg.dll.muiMD5=A20C3F56787D4A0917087441DACB0F12,SHA256=994707AE38DAB3F516367E93C8638E0CF70F3D239478A2A3982C88F1A4B5382C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.230{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ru-RU\MpAsDesc.dll.muiMD5=E83EB650E2482B2C92FDB9F3AB4782A3,SHA256=EAB6A4702D4CD249C79E10302C150BBF39ABAF441F4915773F4D51A8D8FF947E,IMPHASH=00000000000000000000000000000000truetrue 354300x800000000000000060392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.158{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local61366- 354300x800000000000000060391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:38.887{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000060390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ro-RO\mpuxagent.dll.muiMD5=616C5338172CFE983083D1212627B08E,SHA256=27770C854FF89414B16FBF9B0BAC1080592395AC16FCCF910D666D9DC922621C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ro-RO\MpAsDesc.dll.muiMD5=0328C191B135EECF4E15E3A5D4A4C7AA,SHA256=29B5510FF091C19C95B9A4A563FD6A51890D426092DD15CB0B2CE696F4404EF9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\quz-PE\mpuxagent.dll.muiMD5=3D89170ECBC32DB0B715C78DF9121B01,SHA256=9462D9A0A7A5EA80B399C81A9A654E4CFA358D4994E11BF792D8DB8BB2F0F8E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-PT\mpuxagent.dll.muiMD5=075B782FDC73901B58A099BA2A232A0C,SHA256=C14F4A251BF432DAD1E62850F1CEBBB7689E5E50A305FCD6FF396C82426D3D22,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-PT\MpEvMsg.dll.muiMD5=149D70DD838FCC2AC04DABE7FE40C1FF,SHA256=27CF38D40D339C4469FCDA6D1DBD92A09B5172538656CEC159D0C3D8DCBEA4F0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-PT\MpAsDesc.dll.muiMD5=EDFF30151F7A3372D5224E831C2DB3EF,SHA256=9E94380040D20E1957B31D76004ECBC97939302C097D4FE30902825900FF1CE0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.210{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-BR\ProtectionManagement.dll.muiMD5=FB61ED9BD05B8347B31F73D3B0F798FB,SHA256=7976AEC4E0DE7B10D5D038CC42B6412EF877D38CC255132BA388BED3B663D1A9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-BR\mpuxagent.dll.muiMD5=DE0424196B36FBFE0C64FD8F2B22685D,SHA256=499EF8CC5E505D5D69B7259B036D510310D834D44F9A5B52E3072471AF7F0A39,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-BR\MpEvMsg.dll.muiMD5=AD8D6A506D4FE7E8DE0C0E9883CBA151,SHA256=29EAEC16675374C3DF48B054B3A15866811F3D265FB7258488B151336E50774A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pt-BR\MpAsDesc.dll.muiMD5=9497AC1A8B8DA9EB4149C0F8860C8A89,SHA256=76026F20BB91FC672C878D671A313AC10700B4081A57059FA67177AB95159146,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpWDOScan.cdxmlMD5=0DB7196D0224FBCE614AD6ACA63F8F17,SHA256=2D87A0FE031420903AE69DB3A30011DC659B489E2B11AA4129FED01ED3F0B00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpThreatDetection.cdxmlMD5=7C91EEB90EFFB9A8D11DF34FA04FB359,SHA256=97DF56A7933A45143233D314EA947801BF0A475D55A9D852FB411FFD98CB4123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpThreatCatalog.cdxmlMD5=125B977FF0EE6A36452A2B6FD5AE2316,SHA256=7856F35EB7FB72BBF8CAAAC05FD99CEE139F694209BCFBCA41AEB4C3B4CD2413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpThreat.cdxmlMD5=CF0F8A1D51777BDD9D08FEB023A2162A,SHA256=CFFD2BA2255685803B32ADE8D2D238A07AAEB8071EA04BCBB75CE0EF61FE9AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.193{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpSignature.cdxmlMD5=A212A25B0FA39ACB5D3F02E1CC622730,SHA256=6A8DC2AA231D974A36E0EC86751139873226D6157232EDB63AFB2AEB110CD8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpScan.cdxmlMD5=7528936578CAEAEFE7B398C8EF4E0A47,SHA256=A51C86EFD506A132274C37E288B9B697BC865F14D6D6451DA7399C7B5F36751F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpPreference.cdxmlMD5=710B025F9E1944FDB020F27389A2E8B3,SHA256=AA9021CFDC42493E2A759BAD0159001FFB12110FF83CD16021E57570E6402805,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpPerformanceReport.Format.ps1xmlMD5=C9734A297293CCE204D369DD392EDDC9,SHA256=CDF89F9602942969AE0493769EAC7DAA8022A1E8295D49403F1206615F92071A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpPerformanceRecording.wprpMD5=990729AD92C1325C42B04BC975ECBD57,SHA256=E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpPerformanceRecording.psm1MD5=CBA32A98D0EC2D6CCCD3306BFF7AD3D2,SHA256=B77C1F9B9263345F34FE32EED15BD8E3925D378CAEF5D83FEB49275447BCCED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\MSFT_MpComputerStatus.cdxmlMD5=58DF8D38469AF7353B672A6F145994DC,SHA256=A63B944CF4FB3DB7F758F7E4D94126ABE99916127E451E0C139D71E94744084A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.177{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\Powershell\Defender.psd1MD5=9346D71D826DC7B6580C6206FD1A272E,SHA256=EE3344F2D9FE64E0593B1DCE5FC4743D4891DAA6528A0650C41ED0D3F455D48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pl-PL\mpuxagent.dll.muiMD5=16DC11F458E24BD57C80E75E96B51784,SHA256=8812A720CBD2BB49D10256A062C1C61C7CF47259693ABC75FB7CD80BFEC5D76F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pl-PL\MpEvMsg.dll.muiMD5=61345DAE8DFE5AE0057C8B4A45C2833F,SHA256=593AD6B77223468408847298A5884E4BF96D47990838544CB4940FC13EFD8D35,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pl-PL\MpAsDesc.dll.muiMD5=6CAF1D4CE690539494F539B7905A02BD,SHA256=7285073BE903CC3E47014FA809D64DA01D338A8008FC61843A81DE4471B32217,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\pa-IN\mpuxagent.dll.muiMD5=9771616F679CFDE87EE5FD215B2EFD9C,SHA256=341C70F942D6DEC043A831790AD82E75550C5CC1F338A93E089538E7EFC94228,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\or-IN\mpuxagent.dll.muiMD5=3F59C3905C0A227825F4EA3C3E55F091,SHA256=1FB59FD9995DC6CCD4AFEBADAC827E4A14C9325B80A8797E2085B148CB70A4BB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nn-NO\mpuxagent.dll.muiMD5=9AD942027A59B35A699926D89B296612,SHA256=1B608279C259B704B85A162C875F1E11AE6019DA7AF62856E9C22F629B840BEC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nl-NL\mpuxagent.dll.muiMD5=4B6F3EF552192457CC7AC7BA263EDD6A,SHA256=8CD88C0931DB658F1D35B8181E38232E44D976D6DF13C52A6D8C02FBCD567905,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nl-NL\MpEvMsg.dll.muiMD5=2000D01C73693AC55224A2B50B154615,SHA256=8405E0027C96F98DA781F1E4371574EAC844A6FB11B049E53E0CA6AE3C43C7B6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nl-NL\MpAsDesc.dll.muiMD5=B919CA54AC5049ADC843E4FE829C9CD2,SHA256=34C8D6941EA69F1EF22D732D329CF5809236AB849CFF76A8435AB6B71CA931CA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ne-NP\mpuxagent.dll.muiMD5=C4A6FDF1D995631B9C65FFC2AACFA873,SHA256=A8D371CE6D117AB8A9776D968D177AA03AFA2DEB101B77FF030ED8D8777CD8D3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nb-NO\mpuxagent.dll.muiMD5=304AD32107CE26C67BB900EF0EF3619F,SHA256=7ED4B1F7B4029AC1BD5BFF3A524D8505627DE82C29457732BB70ABBB31FAA23B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nb-NO\MpEvMsg.dll.muiMD5=E6B1FCA46E8D96A5C21D319484A90D4C,SHA256=FF51570F95646D497BBC29C0984DD5230BB98548C1E0A9F671A9FD9979CE8DA7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\nb-NO\MpAsDesc.dll.muiMD5=049D5EB3CA6C39F7C2B52FB92F833B12,SHA256=561723B736EA9FA81951FFE37CFBE370000581511C404CD5DB37BA281C0BFDA4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\mt-MT\mpuxagent.dll.muiMD5=1909106149F61C1F8858F89AD26DE2A3,SHA256=F02B104DA41574ADCE8A1DD333B960E0F49014865E5A38C2F2C726D4BF37894E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ms-MY\mpuxagent.dll.muiMD5=AD98F9AEB308A129EC66CC9D00D5F89C,SHA256=95D7B51CACDD3D3080E3641A846959092E2868CD5BE7A488FC8524E1A5D870BE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\mr-IN\mpuxagent.dll.muiMD5=194257A1024CC7E39D63397FE1032ECD,SHA256=9D3248100342AEB6BE4C4EB53BEEF7A2C4ED20E7013BC0B982299EBAA98891AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ml-IN\mpuxagent.dll.muiMD5=7DB06185F5B8B88066388F4881076566,SHA256=E039735F816CCA4FD1D3B1D950D9393986967307FE04C6CFD9CC4FA50C6E2173,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\mk-MK\mpuxagent.dll.muiMD5=D254D68D9C9B3ADB6F299A2F8E995BB8,SHA256=2A79835205C8F5F628E88AA1E61F3545AE26EF87CF2FA004A42873952EC4D4E9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\mi-NZ\mpuxagent.dll.muiMD5=ED26BA8C0D72BCC36EDC88C45EE5FFC4,SHA256=8688A71A827466A4040DC4647D08AA769246F391F30705FF1CA257F4F78D575B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lv-LV\mpuxagent.dll.muiMD5=CCB530458FCEE57E22B2EA4D6ED208EE,SHA256=E35D26C5075FC7DA7C0F8B60587E4F1283AF90A93A24552582211DC8DDDA1B01,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lv-LV\MpAsDesc.dll.muiMD5=6E39C969E7C1B3504247517C5BF75691,SHA256=E9A47A06F4609DF0FC502073DB628958F73C7E4C8DA5B93184443791D02B8704,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lt-LT\mpuxagent.dll.muiMD5=9026148C819D5C847ACC68BC8E301ED1,SHA256=B7A3303B8AA2867DF57C5C7B5EBCC204A39165AEA0ADE83A73195E8B12FD3F49,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lt-LT\MpAsDesc.dll.muiMD5=27533FBBCE191C502F58AA744C09B849,SHA256=14C86B9251617ED03F1CBF6BAD494E10D8AE4A421955E922719838A9CDEB9842,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.110{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lo-LA\mpuxagent.dll.muiMD5=7CC56F36F54BFD32B24F8269CBC25712,SHA256=8C228ECEAB7F6475A48DF767F88F4F1DFD108937C2453FE2D67DA7C184A338B1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\lb-LU\mpuxagent.dll.muiMD5=F550649C08F98B0AEA8E873D7522FF6E,SHA256=0D9E8A489A99DA0A85667A30782454F4393E9279400C368463FC421A73BBE50D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\kok-IN\mpuxagent.dll.muiMD5=DD8EB2310B7CFE70A1637B3554E0BA59,SHA256=4BB817A3216E25BCD96E8C6A1C9DB32B4B2F87696D6279E6BE0968921897EB42,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ko-KR\ProtectionManagement.dll.muiMD5=BB70C5EB54F690DFCA728895F25B6601,SHA256=38F74BC285D27B860B2A7F8B7DD707876C89D188799AB57A8900857E84141BD5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ko-KR\mpuxagent.dll.muiMD5=2C5015292ECC9E51E4A7C5116F0D2F6D,SHA256=5B3AD7DF4494CDE19C3D80D0064C037F5882A60943165D31D6EB4BF66C3CF34D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ko-KR\MpEvMsg.dll.muiMD5=EA80DE1104EA53A2893D83B1FF47612D,SHA256=B61E5C561E1902D170E87D61112E93D4038B6F6A8F3C8B11C063EDCA3E37368B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ko-KR\MpAsDesc.dll.muiMD5=1D1D0208330A5E6FD3019FFEEBC2FFAA,SHA256=3464105CF6B8FD9FF7366A52350217341C53BD20B0B9BA8C833502FF81A244F2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\kn-IN\mpuxagent.dll.muiMD5=172B8401C1C0B9248548370B531E9BD2,SHA256=8714403277C0B396A6A8854BA936CCFABA5841143E04C2735D67AD3B81516767,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\km-KH\mpuxagent.dll.muiMD5=D7C1156285AC257A9461248BCB1FDCB7,SHA256=C9CD72ED2E024BF5A3651350DEA394F3DA16B1A6A674130E175B6AA248C53C3F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\kk-KZ\mpuxagent.dll.muiMD5=CBB0D632BD86C20FAC9B608931890A2D,SHA256=F4D674AE9B124693687AA9181F8AB96A993A7439486481F5FFE9859B10FF3947,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ka-GE\mpuxagent.dll.muiMD5=5EA27B137DFF448CE6BD2879F3C66E91,SHA256=6EA4760836B21829EF37A42DD11D279755634397B45610F995072FF3C7372F79,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ja-JP\ProtectionManagement.dll.muiMD5=C56197002C189E3EC7ABEAC4CFF3E183,SHA256=D13177865A421AB8CCB13B22BC5C880DC5852F24444F2F2B3E9942CB6CB002E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ja-JP\mpuxagent.dll.muiMD5=12B946F8340850633DC2DD6EE40F2A42,SHA256=ADB66E12F137843707DAE15EF8514215C3965D4F67FC4F6D378E2E9A2EA52995,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ja-JP\MpEvMsg.dll.muiMD5=0B72C73DD7E9D396164D44860FEC4603,SHA256=6E489D30EF3956D7C55DE98EB4A292D67534AC168821338DBB71387DCED9BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.062{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ja-JP\MpAsDesc.dll.muiMD5=A84F9DD91E651D6378ED25EE410ABD73,SHA256=DAA5A39F5A41E8549354878BCA60D247B097D0726C642043BCCC8EA5E9958834,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.062{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\it-IT\ProtectionManagement.dll.muiMD5=AC686BE337F5CEA8D06B615FD6C4B9F7,SHA256=69F72D00445DCE6A4A9A2BD69627451C875BF864BF98F7AC554FB0E3737903A6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.062{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\it-IT\mpuxagent.dll.muiMD5=F81A22F6704F1980685E1B6B968B1416,SHA256=7BE6AA910FF4FD157FC6B9E52B7F7AE412ABD8312195E4CA3AE30DD30BBC7230,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.062{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\it-IT\MpEvMsg.dll.muiMD5=9621E72BDE052AF87248869D95F740F1,SHA256=24DEDBBE081A2D26F80A28F889341BC9CB6B69F7AAB007690F1D401E10C03455,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.062{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\it-IT\MpAsDesc.dll.muiMD5=999B7D50B0D5054A248145C57DE8FE53,SHA256=16A49CDEE6DD11357E6857C2889B32F66E5E2B76C349BBA38F202D0CA2439866,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\is-IS\mpuxagent.dll.muiMD5=E588A8FAABD5714585A6327BDE8A5620,SHA256=354ABCEDCAC302A6739CE0B34F2D370B64DEDB8446A7A8DCD9EBF83BFBCE8B46,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\id-ID\mpuxagent.dll.muiMD5=8EFD7C5E912ACA7F0DFA73B4E49835A2,SHA256=4ECB23CFC70FBFE8395D36A3F952C635AEA5E0C066AE7BEE0DA3E467D7B52BE0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\id-ID\MpAsDesc.dll.muiMD5=130873D2E19F8E4FECB3406E5B203E8B,SHA256=AD811C6D80C3BA2DF1D574F23DAC24A42DAB1C8DBD142CACA7DDE6293FBA1DAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hu-HU\mpuxagent.dll.muiMD5=0840EB14DB0A5B63509B244A7C09EBC1,SHA256=528EED32F6FE145DCABD4E5EDD619F2736F2AE9721DF9699EBC96DDA61793C03,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hu-HU\MpEvMsg.dll.muiMD5=19B9FC01053994043BA62B9184DA6744,SHA256=D88AE56F4016ED3CEC159A725474199CCB6775B4DA012F2CAAFFA6BA34D2BA3B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.046{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hu-HU\MpAsDesc.dll.muiMD5=DF44AE65B816A9BD69F1DC16406FB958,SHA256=BE965A8FEA6A87CE70D33EB4273CB729E93BC968E3DDC054C2B05BE1E1B980ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hr-HR\mpuxagent.dll.muiMD5=D6F9AFCC916DBED55F85C92AD37789E0,SHA256=8FEB606A96406D9D577FED85746CABFC2BD732E4E69FA6E672FAAEE368C33901,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hr-HR\MpAsDesc.dll.muiMD5=2070095BD1B455178CF0308064EA9E03,SHA256=7D0A7E01D342D95CEE088D0406B54D38478DD2B717DF1E46BA8F9D33F0F36D65,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\hi-IN\mpuxagent.dll.muiMD5=52D701C3D270A2783E89EF8711ED4383,SHA256=4EC411DDEE07C86BBA7F9342A2AA57233EE6903AD4EFB7DE0EC35FD701708CF4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\he-IL\mpuxagent.dll.muiMD5=E4E9EFAB27C62A9D23047178AFC9A83C,SHA256=1D409D392501FF2F8C33719F614B19CDBCF37DD582E643FE94B73AA26FA67BF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\he-IL\MpAsDesc.dll.muiMD5=27268B44DE213002D6C564F0649D5884,SHA256=D1CC6105357A902F8246087E6339293F45EA0F4B64818B33BFD789087B05A159,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\gu-IN\mpuxagent.dll.muiMD5=F86C2F189DDA9D4108B3FDB79D5810D0,SHA256=768F2C4ABC1D699534336D1EBDCBF91A1161C225997F77F500B45D536FE7606B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\gl-ES\mpuxagent.dll.muiMD5=22E9CD2195300F874E22D56F229BE641,SHA256=D7A9C4A0DB73D912AAEDF82B356746E0962D8737ED57B99FBED757ADFC569D97,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\gd-GB\mpuxagent.dll.muiMD5=41145004FF8DD45A36D5CD7858D087D1,SHA256=32C4F684C3CDD43275402E451868C92B492A2A1A0E7766271F32F85FBF8D4A07,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ga-IE\mpuxagent.dll.muiMD5=946C26A01CE0B43BCE855766D8A2FBDA,SHA256=0B65D0F9B5E6F8EAD3F0F5DF10D7D5C4054E7F8AE2CA063075337EA33F44424D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-FR\ProtectionManagement.dll.muiMD5=C341F1BAB98F727E1EA335C60C74D688,SHA256=C3410C3E57AC4B396F4D660D2B069998FDDAC50FA7F595C38F200C9B204182EF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-FR\mpuxagent.dll.muiMD5=23C5A9CECD33866C21A7B070E3416BBA,SHA256=69E95CF187C3FD04A40F1C7F0458AC091FDD6A4C51F91AEAD972EF60B8BC9A1F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.015{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-FR\MpEvMsg.dll.muiMD5=355210542B63AEF819AF79C277934A80,SHA256=70B660D64AB8266452B7273D938F9AC15626A4E1BB2D81049A3A84FA1F608AD9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:41.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-FR\MpAsDesc.dll.muiMD5=44B5E862B194D925A5ED71A1BEFC7F21,SHA256=09DDB691F5E89918D3F92F34599BEB55DEBF83057B51DAE49ECDE57E865C28A6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-CA\mpuxagent.dll.muiMD5=CBF02EF073E0A7E07C4C59C4FBEF8C72,SHA256=D8E1C88B12FA699ED1444022726AADB2464334CA00D9895EFC45A56864594DC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fr-CA\MpAsDesc.dll.muiMD5=7449A7FA39DE266A5DA058FA94933C1E,SHA256=E5E4519B6F9EC15AFD5E1C1B8DF028741239B91DE7D0180856D0B51D57E37DE0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:40.993{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\fil-PH\mpuxagent.dll.muiMD5=DB490CD5090EB998C109D4F6C9F6B914,SHA256=FC43DD264BE0FE99AC8E2D18B740EC0B73561582266D02D83EC1A47B175D4732,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\da-DK\mpuxagent.dll.muiMD5=63AAAB7FAB9E9C8AA639538E42693C73,SHA256=D71CEB4F045E69BDB53724731187A99C4CBBDF833FD2C20D0A56CFC4A1A211BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\da-DK\MpEvMsg.dll.muiMD5=40411D7CFD9C01CF8A24D822518C5DC7,SHA256=F06CD298DB59E531C38E8FB1E323CA42EAB237811F37A9A5688CC7E4C9B34F0D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\da-DK\MpAsDesc.dll.muiMD5=7002E37D15578AB76351D48E5DC7A041,SHA256=AEB31511AC56F7C92236429D3813A46F00AFD764AAE729F7F970545F32F2D30F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\cy-GB\mpuxagent.dll.muiMD5=11039DE43A580BA56A93891D03E1860C,SHA256=E60E2BACFEB8E3F6546523C994E53BB6F642F47922D82C082808B19CE7F058BF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\cs-CZ\mpuxagent.dll.muiMD5=8428C747303945155EB786D42DF5F80B,SHA256=4633D24A1145C73F1B30E0CE5115C206148D4101F189CCE7F46ABBBE55F85D9E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\cs-CZ\MpEvMsg.dll.muiMD5=1B94C3DE95A8E4CF7088A3868AD80C53,SHA256=0E24FAFC2D3E78E6432F8002E28DF96F1C9D9D682231C3FA2A7318F3887F5977,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\cs-CZ\MpAsDesc.dll.muiMD5=FA840C2488639346A3B5B685AFA32216,SHA256=C1EC33FF09DFB562BCAE9626FCAC25B2306FCE6B94D1533687538E0BA5656A83,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.977{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ca-ES-valencia\mpuxagent.dll.muiMD5=2F7CC3AC02551F51EB6375265D115BE0,SHA256=C2BEE351A04A1327E15E08494A49BCAB5D06E29E27CB1E0E8733B5542D062740,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ca-ES\mpuxagent.dll.muiMD5=506079C24A07C5EC10C3D83BFC7A3C71,SHA256=BC7325278F6708D9578976932351221DBFF7E9642FFB37614D7AB3BF4E6D40E6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ca-ES\MpAsDesc.dll.muiMD5=05A82F52193DAC30031F88E1184566A6,SHA256=A6EA3A48442D18288562F9307BD7325725B7890599DCB6C375D7375C40043A50,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\bs-Latn-BA\mpuxagent.dll.muiMD5=02D8182839C7F969FD9ABBD1EA9F106B,SHA256=FCD0F0DAD9461A7C75E4203672E09F1CDB50DB012A20F969CE9AE2FFFFC9E35D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\bn-IN\mpuxagent.dll.muiMD5=0AAB9273EB8B1544410CEB9AF7FE24E5,SHA256=C86973D39EF05F56F47B3AE96CED1956831BC48AE59FED68457B48A16B48AA57,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\bg-BG\mpuxagent.dll.muiMD5=4DFD17A5DFE8955E36D316F8DE387EF5,SHA256=884760A6D0F6FD86EF676A48C27347343909E5D96F3B3C563EB6B798288B2B5B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\bg-BG\MpAsDesc.dll.muiMD5=8B3CF5F422B3702DB51A1BBA61383DB5,SHA256=C744BC8FA99D069AB48DBE2FF77FDB91981ADFCDD49CB0552066C52583BDBDD3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\az-Latn-AZ\mpuxagent.dll.muiMD5=B086D69050D7E5F1BB9F88226C1D6B78,SHA256=134D8BA36231A6573B104E189AC2C802959B93E875FDAB76BC6097D5D50FD01A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.945{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\as-IN\mpuxagent.dll.muiMD5=9E43EB454C70483DE65235F9F535DA37,SHA256=259BA6BCDCFF400042CD92E153A4A0AFD72DC2CAB3CDB386B2FDADA27084805A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.945{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ar-SA\mpuxagent.dll.muiMD5=F218A80AEB9611847C734157608F0F4A,SHA256=EE35A4337E624310B95BA0CBFED50555035D0DFC7765C9450DEEFF2F18744797,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.945{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ar-SA\MpAsDesc.dll.muiMD5=53E256868F86F9BFFDC7DEAB4E9404AA,SHA256=A01FA79CB461438CD6970E7F0790C5BF6A2EE824FEBD1D58D346E03C37D334F6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.945{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\am-ET\mpuxagent.dll.muiMD5=0C2B85019D58FA746AEC3D5A8F74C495,SHA256=5FB99F39600BFCA3F5CD7017FD7A6502F1DEE92D89F3F3802ABC5639CBD405A9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.945{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\af-ZA\mpuxagent.dll.muiMD5=4D99797DF62E0BDDFA99C3B43811EF93,SHA256=48689B259689596D2CF334561F770A3D5304DBC9848019DFC3DDFE6ED81C1997,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.876{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ThirdPartyNotices.txtMD5=CE7313760386B6ABDE405F9B9E6EA51D,SHA256=73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.876{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ProtectionManagement_Uninstall.mofMD5=72D045707D108D55B76CD70AD9A84AD6,SHA256=30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.876{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ProtectionManagement.mofMD5=D9619BB89523F47C88DC5FC8BEA50BA0,SHA256=3ECDCEF5A04C90CA1EB296F3AE4F1C5BC96C371E84BE927C25FA64D6C74C34AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\ProtectionManagement.dllMD5=0F9485E242400DC47A9FCA73A3443120,SHA256=8DA908D6AD4F307D6AAF8CFB1A9C27B3F3A285F84B1F3C817F50D7B154DC575F,IMPHASH=170002200EFBB48482AFA5E458D56D3Dtruetrue 23542300x800000000000000060475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\NisSrv.exeMD5=054F919445EDBC999989A1413FD87437,SHA256=A124EBD9240AAA542962CB2A1059B6315E9F2183CBFD08B4E8029EE15B6A009F,IMPHASH=B4267FF023C00AB6FBB4972C1FB30C34truetrue 23542300x800000000000000060474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.645{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MsMpLics.dllMD5=7B842DAC975E04C90F9B23B7D04B5160,SHA256=61D412008B89D3B931BC9E8AD731F792DD9EF2D2F147916103B8F9392CF8D501,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.645{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MsMpEng.exeMD5=15D205854CA62B75C0BF447F9DD8119D,SHA256=B815A94D49CC0E8DB03456CBBAFB4A052F481531F8768CE704A2A012FD84B7AB,IMPHASH=99C98AC382B2B1D56BA3D07EBC95CDEDtruetrue 23542300x800000000000000060472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.630{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpUxAgent.dllMD5=68228D20DFAA033D246B8BED272CF92C,SHA256=C44F961691C4F91AD370985D5EB281F843EB5DCF6F5EC98D9C9A509E789CB7E8,IMPHASH=8CA081F2F7B12D686C8459E89B4303AFtruetrue 23542300x800000000000000060471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.614{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpUpdate.dllMD5=BA4E1FC83B68F72927F58BBFA064C294,SHA256=23C224794D0342F3C97D6F104B40465A8C314186DD3A9F0CBBC9A9441700AE83,IMPHASH=FF86D41A21C61CABF3B1B37C0EDAAF4Atruetrue 23542300x800000000000000060470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.614{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpSvc.dllMD5=0618D6AA4B96E666F1C3B79CA1531187,SHA256=89FD82BABFEE76643CA0F3DC4730302575E2BCCB00F744090D9E253A8CD9EE53,IMPHASH=92FDA95C32C79BC85B7FFE35C7460B34truetrue 23542300x800000000000000060469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.297{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpRtp.dllMD5=EABFAF1CE6CB8843DA42FBA01E8BF069,SHA256=CA99B8EAA6ED8C706590551BE37107D027BBD53CC9E52805446ADF59B3AEDC1E,IMPHASH=37FBA5E19A556368C80635383A68D429truetrue 354300x800000000000000060468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:39.169{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62424-false104.18.30.182-80http 23542300x800000000000000060467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.246{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4BF2117A71C8F1871D916D6DB35070,SHA256=C899CFD7B7792A4736A809AB861B151AC56C46AAE60A3E0ADD63EF97488B951E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.208{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpOAV.dllMD5=507A1C4DC135D31E60E46C911F518352,SHA256=07AA7775DEC86AFEF867C3B902BCF47CCB36E224433171EB6C4C0E3D80F753AB,IMPHASH=03EE692DE6217827EFB332DB1F358A4Ctruetrue 10341000x800000000000000035432Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B46-61E9-6603-000000002202}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035431Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035430Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035429Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035428Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035427Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035426Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035425Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035424Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035423Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035422Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B46-61E9-6603-000000002202}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035421Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B46-61E9-6603-000000002202}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035420Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.848{8EF30467-6B46-61E9-6603-000000002202}672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035419Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DF095D9CF8CEE68A37B95B54057D98C,SHA256=EC6F0FC13D0A590F293FEB9C3C365D6A9BB1E0AEE91BA2646D7F8D04F7681675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035418Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:42.144{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=106D775E7D87FC405CDFB69AC1EBDF91,SHA256=083D884092BB44E8F9A64C297BAEA312BC09ADC93F8A616024E51F67A19AEAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpEvMsg.dllMD5=E6BA4B06A514B05F1A6F67E02776CB12,SHA256=3E69F409180506A6636CA8F0620AB0CC9B57F1393AC5986CC8BBE50BEF12C9C2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.146{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpDlpCmd.exeMD5=9DA1C405AF787EFBAF735B76388F867F,SHA256=7E7180B5534BE4BF2E531DCCE4BD8C0CB55EEC93759625283A162C0F6149464F,IMPHASH=ADA70A1CDA9F7CFE0EE9ADC707952597truetrue 23542300x800000000000000060463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpDetoursCopyAccelerator.dllMD5=50E2C916D6B2E5CDCED1BF18BEF5B9E6,SHA256=C880E519887E5AFD35612BDAF4F987D79ED294050A4D291B54B18F7F3C80A89D,IMPHASH=F50111F80E604507B2C7408826513BE5truetrue 23542300x800000000000000060462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.077{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2109.6-0\MpDetours.dllMD5=6694C427D876FEEC65126E7734886E88,SHA256=A76E653BA8D251379133B748B685C08672A69D1CF95493549E563CFAD8A8D7A5,IMPHASH=347E3515FA426FC23AFC3969AC2AA015truetrue 23542300x800000000000000060679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.962{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpCmdRun.exeMD5=D06785497C59761CCB542B24465B21C1,SHA256=CF2E3EC88871745526030D5F195AF65464DC27C33588E406CC4ED7154BF7ADEF,IMPHASH=BFE54B9A9FB809E3964F535FD29E3413truetrue 23542300x800000000000000060678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.947{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpClient.dllMD5=6162555E30EF285268C2C31D31F749AD,SHA256=30A26281EB7DAF02F4D48FA4E0636A640F5EE58973774D11C723E0EEFF054FD4,IMPHASH=624E1189FDB72BC74D16BA15256EB0FCtruetrue 23542300x800000000000000060677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpAzSubmit.dllMD5=DA6365A95C78411696DD0D48421980CB,SHA256=A05B590C79C85D0B3747ED0D72B053BC850052034A10CA37390A94492064F6EB,IMPHASH=300ED5E63E8A71D34B395F9FB0DBF683truetrue 23542300x800000000000000060676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpAsDesc.dllMD5=35E251E64B929CB6F2A6A8AC4F727CB1,SHA256=AE06DD852532BD69047CA5D061F8A07066122CBE1B2878B2B7DB97626EF439A1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.794{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=481C6D58A7FFA6F9193BDFCA2BE7327D,SHA256=3E737AE2794E14DB71B5147C2C93E73A7490B689330DDE902372D91E45567A33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Windows-Windows Defender.manMD5=36F8A68EECFB5B89C4C571F6A63E3ECA,SHA256=4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Antimalware-Service.manMD5=1155F6F2B9350FC2F05CCA5E617BBA5A,SHA256=46E57B7D482AE2F8400A74A13929D594F6A77A2B1E8AC871C19B67068C6EF69E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Antimalware-RTP.manMD5=0EA061B68884A0E5AD4B1F4A93B1FBF6,SHA256=1F78E8C7AE754DA422F11439E732628BE78F8BC85625CF4EBFFCF64C536679FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.762{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Antimalware-Protection.manMD5=E4AD891E7B62475FCA109C0DF4DEF16E,SHA256=DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.762{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Antimalware-NIS.manMD5=5562965C32F03AE0DF8B9DEF950F8651,SHA256=EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.762{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Microsoft-Antimalware-AMFilter.manMD5=B6D65A86FC1999A62DA10EA3C4CAD3E4,SHA256=05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.762{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\endpointdlp.dllMD5=210BDBA8BFDB791D0363D3AB15B05BFC,SHA256=EE850D3AB4934998179C92E86BC50CEAA3F37ABB3CB1D219DD7CB17505658AC6,IMPHASH=3904CBB8F57851E91232DF29D0B9DFBCtruetrue 23542300x800000000000000060667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ConfigSecurityPolicy.exeMD5=FA0070C6454041E82EB90BF44E3BA83C,SHA256=50B174E26F4FB9048C66DB961A3B8E6B17A2BB8AC47F1D9D8C5CC51FF7B70BD0,IMPHASH=C1B5D6B4F7C8A5BCC84810A010E14536truetrue 23542300x800000000000000060666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\com.microsoft.defender.be.chrome.jsonMD5=60A2FC65D3CC1D3DE9ECD2C5319738FC,SHA256=6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-TW\ProtectionManagement.dll.muiMD5=E12A3EB93E82060580894D175A0E91B5,SHA256=5597AD5422CAD82DDF756E6170F4735A57CCDD4BDCB9B3270EBE724607C37174,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-TW\mpuxagent.dll.muiMD5=9E5F6109AD90B700ECF586295480080C,SHA256=36CE71597ECFE37095B4C80BAEB45EFC940F152C4C091F4A39EB501D0D482B69,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-TW\MpEvMsg.dll.muiMD5=45873C96117D710A11393B0422E339BD,SHA256=4015D90E8A7FFEE22A8E89563D49D5C5256678AB137DD73BD4DD36D334370329,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.712{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-TW\MpAsDesc.dll.muiMD5=FE1ED6771512E05369FA523367BE97E3,SHA256=406EE1499AEB17FB024586074CBFD73BEA89C50BD0E4357C582A08886775C45F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.709{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-CN\ProtectionManagement.dll.muiMD5=133B896870781AE779833BA408F78DE6,SHA256=0A6B7DFA292199568076BEDB1D2E045755D8F737CC71466F90376D63EDB89EC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-CN\mpuxagent.dll.muiMD5=69E39D7238D994D326AF1B17FFC162F1,SHA256=F72A98A1D28A9112C8B68D4EE986EDDCA7AFD091E10E5C2CE024061D8913CB93,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-CN\MpEvMsg.dll.muiMD5=BA0F9B0545963149BDB096B43A2DB15B,SHA256=66E93D291A10FEE0217F0988005761869F6B29D021E1B55062AA6E9409B50825,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\zh-CN\MpAsDesc.dll.muiMD5=6675553BABAE7D2690615D9C0517BA94,SHA256=5A156ABBBE81E95C350A05338CF5D7632948F117DFD95CEC4EAF52F9E64E3097,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MsMpLics.dllMD5=0B1BE45EE3ACDBC3D5BC36FDCC8C08E0,SHA256=5457D5F05AD3DFED10961F053BBE242F78F13C773A466F7E8C3BED5F36FCCCF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.693{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpOAV.dllMD5=89340D85A12452006E5A19DB7EF1F7FB,SHA256=1232FC009E397B7AECDE284E42F47804F839C29257DE6CEADF85F8759F0A7270,IMPHASH=B153971B18B753F5A5050CE54B02C2E0truetrue 23542300x800000000000000060655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.678{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpDetoursCopyAccelerator.dllMD5=DB61CE19954A7CDDA5A5C8771ED74E61,SHA256=61A0B5A24A74E4D5B4D47104BA90FA628FBB579F5B43060F6C6008B8CC3A187F,IMPHASH=74478D3FF071B77E9B32D63F1F5AA17Atruetrue 23542300x800000000000000060654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.678{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpDetours.dllMD5=D7F744F1489C742B8FE86D4353A64E4B,SHA256=3E75A0F63364934E7877F071E5AC480AB20EA8977C0804D8FFF73B0205AE6620,IMPHASH=6E757FB64260833FA5C6C4D97D8045D3truetrue 23542300x800000000000000060653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.678{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpCmdRun.exeMD5=FB30259AD00D4D39CD0058A4E82922FA,SHA256=656678C217F130CDD6A95A2D8210DA879EDE43F719232CE9DEDB37A4DC9E0EA2,IMPHASH=D53B9A9284ED1C3789C06C4D975F8A59truetrue 23542300x800000000000000060652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.662{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpClient.dllMD5=497CA375D5F7C7762DEDD2EA71EEBB95,SHA256=69E2E0E8892858A6A109576848DAFBC5F669EA57D3B8E6864A332BDB17DA917C,IMPHASH=0E644468AB17DC09175E735D79CFB0C0truetrue 23542300x800000000000000060651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.577{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\MpAsDesc.dllMD5=078239B8C89E303984D9705CE6BD1579,SHA256=89CBC3D0AEF648E9F5061C447B569A8BC8427D68E2EF2685FBBBC20771EB8D0D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.562{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\endpointdlp.dllMD5=DE41663E3C4486037FCA0238C7CF4DC5,SHA256=D3090FEDB2E55B1E231886129A9BCC9DD7DA6197DD1C67BF99A261406F566E42,IMPHASH=D1B6B842CD4F76AA52E0066A9B58133Btruetrue 23542300x800000000000000060649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.562{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\X86\en-US\MpAsDesc.dll.muiMD5=E0C0D520397694E20324B818C62B8D9B,SHA256=58A855DD11DF04C39DCFFF294FC6DF90EBAA4AB40DA8A66F205DA550B1D50E93,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.530{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\vi-VN\mpuxagent.dll.muiMD5=73C39116253B24BE4ABB60C92AECF75E,SHA256=BF0979093CDBDD33EE605C719CAC698DFBE839AAD9DA0B7117CFABF4A66EA225,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.515{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\vi-VN\MpAsDesc.dll.muiMD5=3D36EB51DA4ED341BE6A5F086C967CB9,SHA256=D2EB6140A5969E63E7EB0D889EDB236FCECFCEC0998790F69E7EB6CFDA45C914,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.515{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AAFED281C26CD91F9C54CFE4F42FA03,SHA256=76E912BF1F8C4CE793E60290D41A5E9CD0F3D00EFF0520AD0E6A24AD9EA07407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.477{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ur-PK\mpuxagent.dll.muiMD5=4DE6A10DD51B409670FCDB4B6DB1E630,SHA256=A39764F3391C4DDC93682FBDF2D128D44A365E2776475F42ECBF39E0C50A4338,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.477{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\uk-UA\mpuxagent.dll.muiMD5=393B8689A079AA69EA64BF6D67C65DB6,SHA256=FCE923C4C9E7CF1EE8FADF6BA6137E8C7BE709947985D71B91498CA849E9A2E3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.477{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\uk-UA\MpAsDesc.dll.muiMD5=CC0193355AB7579CEDC56C938F1AC223,SHA256=11FDE5D9E41B8EBCBE8B479F66B9284E7FEED665D301150CA4DD651A3343250B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.477{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ug-CN\mpuxagent.dll.muiMD5=7F5EF7CEE50DAC6297A69A62E4E359B3,SHA256=758CAAFD39D25BB0A2091BD72E4A62A10D9E2F54857FD3B84D5BBF79D8125376,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.477{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\tt-RU\mpuxagent.dll.muiMD5=24EA02B8DE6CAEC0E1509C337CD58503,SHA256=C0E8543181A454D94AB9B469039A8A7642EB70BC73CEF67897FBAAC99E840605,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\tr-TR\mpuxagent.dll.muiMD5=F63FF7978B5473AF74E71DD7E7F4BBD8,SHA256=34FC4A6AF0FC97434D8837D6C7BAD01AD9C342956A12731EE49DF43FC7D72F31,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\tr-TR\MpEvMsg.dll.muiMD5=633A93825BE47C392C5F8EFE409D0748,SHA256=E3DC013BB48E9A7A78EA141A2838E3E5BAAB25EEFE99A4468293893CCC1D2908,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000035436Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:43.973{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07FDFB04CFEF282514BBB7D0F7BCEF39,SHA256=2EC3026A0D14D5FC3EFACEBFEC58E109B8DE7FF2A93080DFB9337D16D27C400A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035435Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:43.144{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10CE8D0D9AC1D5AE685247A8DB907DEC,SHA256=93D892567CBD65897FFDB3BE2B3AFC3534A12A5858DF0096E1F946464D7AD242,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\tr-TR\MpAsDesc.dll.muiMD5=D1AED3929086266619CDB50610E53662,SHA256=750B2AE66639F81485CEED960FC66B984DEEA8DA03B6CC380137F519B4B5B022,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\th-TH\mpuxagent.dll.muiMD5=CBCABA1F45DE44187638EA9647A6446D,SHA256=F3128F6591372BC51FDAB478A4BE31EF34553CA664FAB759CC9EFD64E1837492,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\th-TH\MpAsDesc.dll.muiMD5=084F64935D294026EF172CB2318D5156,SHA256=E4EEAB62D01EABECC30EF7695E1971A5677ED924FDF29DD5F2E187D43055C510,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.445{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\te-IN\mpuxagent.dll.muiMD5=215F6A9744ADF9316522ADB3DD811F83,SHA256=7B2972D079DAD26084BE6A752B442D86CF95DD97281AD1F382AE4D588E120A0F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.445{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ta-IN\mpuxagent.dll.muiMD5=FC333CCAB5E74219DD25EFAF320BA8FC,SHA256=40D60F5687E2DB33C41D668F6EBCF0FF094CA89928409ACA33D7AC1A8F4B67AB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.445{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sv-SE\mpuxagent.dll.muiMD5=1E1765A4F6598B768C84D45AEE5369AD,SHA256=684BDBFEADDA1391B0A2E598D6319D21B8F2658EF2C3F23EB1D939D6154FD323,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.445{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sv-SE\MpEvMsg.dll.muiMD5=7467C98D9A9C923A01B1093A73789506,SHA256=DAE21BF0EF657322CE6D80480954E65974B349524F5BE46FCB8123FCEA96793F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.445{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sv-SE\MpAsDesc.dll.muiMD5=22FA233927C07E3BFB8C6C282CF54B50,SHA256=E8BBC76D3A4C0C3484792F6D7253E079713B50A3153DF91CAAB5A77926627F8C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.430{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sr-Latn-RS\mpuxagent.dll.muiMD5=836575BFE3A096419F9863ABEEA64354,SHA256=3C3965740A7921690AD934450AFC800027204334A4CA93D0B02AB260368E8CCA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.430{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sr-Latn-RS\MpAsDesc.dll.muiMD5=2843E6043F64CB9A98ED9EE8B6854CC2,SHA256=5B2AF5458F1601DA07EFFAFC60A09EF4DBB474F1576E1D3605499828F64BDCB1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.430{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sr-Cyrl-RS\mpuxagent.dll.muiMD5=E581F4ED51F1486289AE8E4F36B33EB5,SHA256=30076F67CB915294F1F6815B5C723FD7381F4DD146656D31D40F6E521E6DBEB8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.430{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sr-Cyrl-BA\mpuxagent.dll.muiMD5=B798EBE07FB2C734B464F4D21D3F3393,SHA256=F276DDD79570981DB5598BA0A8B9E86D934391118F74D18AABA4A66BC7A566BA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.430{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sq-AL\mpuxagent.dll.muiMD5=B18BFE1AEA30CDB492FEFEDDB2EA105B,SHA256=FC00F0E0D6497F1F7234C2CE42E92C8CF2BF475AF967403C0A62BA4B68DF4172,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sl-SI\mpuxagent.dll.muiMD5=88E0FCBFB7067934FD5E91E8E7684EA8,SHA256=8C3EA953C375E0567235EB6BB45095E94E32A762D0E1702EB7746CEF90D15BC5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sl-SI\MpAsDesc.dll.muiMD5=87B11B2EBF429C716388BE4943C9006E,SHA256=0064BD79BF311502606D517DD2C2D3C7335A15BA2A44E8B596FD939F9CF11B38,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sk-SK\mpuxagent.dll.muiMD5=4D348CC38C214243B81B19F2D4BBF929,SHA256=EFDEDE1D72071276418616B4C3A618359411E4455C78A81C12689B0668884179,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\sk-SK\MpAsDesc.dll.muiMD5=190DB3D33B70571BB3B2CB06129E1470,SHA256=604733DB9A871F861B6159E519E502AD8995162E5D23F8186516B19FA49955C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ru-RU\ProtectionManagement.dll.muiMD5=B3D756B33B81381224FCA09419EA21B3,SHA256=3F4F5F094F84E074993892B05810D44A8350D1A03846D74914E0435BB1FE1DE2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.413{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ru-RU\mpuxagent.dll.muiMD5=7C600DA17273AA335E3A8848C0DF19AF,SHA256=FB480E7F5A47BE1BE1EDF89B45AA03C33E681D0536052F661735E57AB561A78D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.411{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ru-RU\MpEvMsg.dll.muiMD5=8D634ECF26EB81E0C0000718452AA099,SHA256=17F19B863CB2D926F151ACA2D354917ECA22999785E2D5A717924DF50E878AC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.408{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ru-RU\MpAsDesc.dll.muiMD5=7670F52F5F8AC59CD100AE817A528C20,SHA256=363201382D6FC4D175EE37931316906DC7F8726CFA4B8B1F41848A9A1AEEAFB4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ro-RO\mpuxagent.dll.muiMD5=CE59B7F59CD472D593EE595F661675B5,SHA256=F0182D40F48A9575DED545ED497C92C6D854DB7330C66B33269FAF36040310D2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ro-RO\MpAsDesc.dll.muiMD5=3307650C12B1275E3369A49E8C409D01,SHA256=A5FFB707E70B7A80C67FDA49A6A396C2AABB4A25B184BB101FF0BE119DE199AB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\quz-PE\mpuxagent.dll.muiMD5=7A86AB57858BF3CB1ABF21F4F4D59A55,SHA256=F995C7F5C57939C90254EBE88FCDA22561FAED8024351A3C1466DDC481E42BC8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-PT\mpuxagent.dll.muiMD5=82B5969A8B8EA9A8B613B12FBDAFFC1D,SHA256=12C42A6FAD9E18CC830A415323021933B34212B285C7D8C466BC1BF863D96CE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-PT\MpEvMsg.dll.muiMD5=3149D82F48D136C73CAB3A67EA385476,SHA256=9F350702728B4F65A3A9A6A1DCD7D52C738B2B3F76BB892A2BBC095D04E726AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-PT\MpAsDesc.dll.muiMD5=C47D80BCDD56B5F2B68EBFCF4794B4A2,SHA256=1B902CD70C15B40F7EBAC74159C95DFA8FCA63AF23918316BB24E7375F42EB9B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-BR\ProtectionManagement.dll.muiMD5=F7F7AB3246086AE8A0943A6DA22BBCFE,SHA256=F8402905ACFDDA060842B587AA4A881A199FB04FFC90D8E001893CA1CD203B78,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-BR\mpuxagent.dll.muiMD5=67761F71C8ACB320F309196929D12B55,SHA256=AB614132A559A350BC2E946158B5F941526A8AB61F7376A298EC1437033B5EFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-BR\MpEvMsg.dll.muiMD5=4A68B2F9155F4367293B01110924FDC1,SHA256=5778C31EC2B745F80C69B5EF288DE0416ED97BFD0284760C54ADE967D9B4DFB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pt-BR\MpAsDesc.dll.muiMD5=B86371E1BAD9569A22C348CF83ED4E4D,SHA256=0462C2871BBF997F2A2EA0C64240E794B5F8718E45E33B1E517E2B2D92EEBF96,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpWDOScan.cdxmlMD5=F7FB537DD257D78A1EAACB963E57B51A,SHA256=46C60DF352930726D83FAA8AA04D4344023D7D3C8F9F96425A19ACBD1831B83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpThreatDetection.cdxmlMD5=8F81E3B410468E280E4B7F2867264371,SHA256=1AEFA5772C4201C2913C98CFAE4AA582F4FBF2E02C3F54755FA8ECCBE4215CDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpThreatCatalog.cdxmlMD5=4DD6367E1CF0C262654FB5A3EF788636,SHA256=83A91A1DFD94F926ED78B7FFFE682DC5C739A344E204EFA5802EE8A4F7E0EBA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.361{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpThreat.cdxmlMD5=28F5CAF993FEC45C079CCBB68BE4E0F5,SHA256=E0DF97FA1A1119535C81A9B653AD6F2AD487413D79F6721B09334CC6F96B04C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpSignature.cdxmlMD5=73A0570D71E8C56D634C25020797C26C,SHA256=F0A6F27660E465E4019DA4F00086E3F1DCAB9B40F54CDB1D8F71D40C9D53641E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpScan.cdxmlMD5=34DEB0F0AF8D042330CE8638F3E1C543,SHA256=34C9A92C669DDA8DDE92C2727B7C0D094AB1DF43689E505503265BE0CDCE36B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpPreference.cdxmlMD5=2451066F85444CD7AE4AC2BAA68BF9CA,SHA256=B7731D830E34684D96F6FB83DDFF3156851B2406B27C5B0CE582F3EE49FEA5DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FC8DD0111B95533592B943541445213,SHA256=68D3B77A963CB6F7B4A75981E2C1DE415C98E4C9024A21A9C2869800B73F3D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpPerformanceReport.Format.ps1xmlMD5=FAE1EA35F271BBCF701BADF0B6400263,SHA256=86DCBB78781D0A3EF7D0B4AAF693041629F930DEF24C15C94DC4F8FD44B25392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpPerformanceRecording.wprpMD5=990729AD92C1325C42B04BC975ECBD57,SHA256=E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.345{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpPerformanceRecording.psm1MD5=7E1836A5F48C6FF55AA42C13105E23E9,SHA256=CD268EF93A7710242A554296C7FC365F37AA6001B8D8F79E05A30E62E13AF7B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\MSFT_MpComputerStatus.cdxmlMD5=2612420C7797837773F56765FE9C07E8,SHA256=4A75A861C9C0E911B3BB8F4A740357F8320E6293BD947BB4369F5F0E3AD25385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Powershell\Defender.psd1MD5=3BBDFC485556E8AD079EF4851F9C02EA,SHA256=B9E5AA91603088DC1C7E4D770E87BD60D15E10D0D28230813652655A5426A950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pl-PL\mpuxagent.dll.muiMD5=5D54C04D7C27EA6CE6B210080305B52F,SHA256=C0023426DDE673ECFD1773603527B1A7F45A3FF3188AEF7F3BC5F9715559A545,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pl-PL\MpEvMsg.dll.muiMD5=E4AB9295868CECBA04559106FE96E5DC,SHA256=A50120EA0B48F36A5C47F221BC4E61D7DC0B9B1D2662C93BC451820B61D214E1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CC6204CB693D8A70FF10D71AF8A0FD,SHA256=271ADD8E139B1F6565EA1625F8CB3BB82579B6C5DDEE1C279F300FBDF68E5AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.329{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pl-PL\MpAsDesc.dll.muiMD5=B96EB382039117DB6E7CD97DA5FD8C6A,SHA256=FF7C4A378D15B2891A4957F737A22A1D158E54A6310924F6BADA53722FA6D45A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\pa-IN\mpuxagent.dll.muiMD5=0858AF34223613F6FDB7D36EE2187292,SHA256=50AA641A180DD83863FAE276906387F78EA45BC326DA715E3752B4A7AB5FBC2F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\or-IN\mpuxagent.dll.muiMD5=795767F8F307614A9AA1789E5610A2E1,SHA256=056C9B6014778E529945152F7A370501E8F489474AB0A672623C2F2F83865ADD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nn-NO\mpuxagent.dll.muiMD5=25EBB8CADCF92D82535096AB16754A7D,SHA256=88E016954F720FD707921A51D3976A4AD420B6ED7901F64BB820DA8D85B1E8B2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nl-NL\mpuxagent.dll.muiMD5=91ADD73C150D29B35CFDDCF5B3D5EA46,SHA256=C3C0793A293BA5F6D2DA58D078FE895D3457B438D5BB07283279C66550DF995F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.314{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nl-NL\MpEvMsg.dll.muiMD5=D9B3D057BC737C0FA82D3FE1C1E17762,SHA256=ED1280AEBC4FF98D86B6A502B60FEF2B9A2710EB863FC87A225B07FA8BB54EFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.313{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nl-NL\MpAsDesc.dll.muiMD5=2761ABF999488090724F029B46F47DD0,SHA256=DD49F445D7C3FF78735BF6D4B4E1D51F65CB7A02DDC4B3BE11BBE3E0DC8276D8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.310{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ne-NP\mpuxagent.dll.muiMD5=48DE53D02EEF84D0C23AB38F306C0996,SHA256=19CD78F13EDD1151A66B513A80B7980B375AA6E17F471F2A77560FBA7823A983,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nb-NO\mpuxagent.dll.muiMD5=39E93001C59A4A46CFB241A9031537F0,SHA256=8FAB28ED79F83FFF1D19D2721F94B6CEFA80C81859AFFB618CFE25670AAC7A1B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nb-NO\MpEvMsg.dll.muiMD5=5FDCF259858872EE1ABE3281898C379C,SHA256=10EE08B3A7635F66D34DFA65B33919C8481D16960332AD3F5EF6E52C8F465C88,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\nb-NO\MpAsDesc.dll.muiMD5=CFB0B5A63855D0AEDA094C8F708446AB,SHA256=0FC17F8F1842DE2DD527C354F21D8F56E91EC2B8D6B45C9D8645EE7E5F1F2F05,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\mt-MT\mpuxagent.dll.muiMD5=C7463FD36BFEA4AD8A7B447C83387975,SHA256=C1BFEEC975FE032AF6FBB26A951D0F3D5F997D8EBA83253BEDA348F19489CD6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ms-MY\mpuxagent.dll.muiMD5=9F7CDA909D065F05CD51520A132F29CA,SHA256=71D891BDC00C8BCB61DD210140F07C11AD335B2054CBD3477D34E891D1C16864,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\mr-IN\mpuxagent.dll.muiMD5=616672ADAD44978A93DD29C3AFF3A3FB,SHA256=9119954D8CF59229485AFD1C84FF59B9A43F2CD5BA2DB7315A926C9BEAB69B71,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ml-IN\mpuxagent.dll.muiMD5=CE67EB83066266D989BD40B93DB1E5E1,SHA256=AAC779E6F9C48C398433467AB471CF8184AA48934259A6E010239236CB11E208,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\mk-MK\mpuxagent.dll.muiMD5=15FF598CC5BD7B431D7D132862F55EF3,SHA256=766A403F969F503EF7F9D6E82AE3561EB335A536912F494ACF95FC4EA4A0FEC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\mi-NZ\mpuxagent.dll.muiMD5=3788E807D6F10C0001F53139D9DABC19,SHA256=4AB897CD15C2D31C9661718388DB713C856DCE8D44C362668D7890BC134BE52F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lv-LV\mpuxagent.dll.muiMD5=617B7682629B4CC3CCD20461FAC82FE4,SHA256=D75934FAC5D74B3C33FCC1000082572E3B952F11535A228634DC2396096769E9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lv-LV\MpAsDesc.dll.muiMD5=31CB57ECAD792B98A297EB11E9A7C9E9,SHA256=C2034D6E7B108624A9B54ECDB46F551D6D7D42B7E8AAE15B76DD374631453EB0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lt-LT\mpuxagent.dll.muiMD5=FFAB10FABD8E0B751EC3A27114B0D312,SHA256=55E7F6B79E67B57760AA30B6B961B2B24008F6B1B5511DAD69495DE0025938AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.277{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lt-LT\MpAsDesc.dll.muiMD5=D29C9AA95B1DA0F81053D22201A13917,SHA256=2EBD95BA55213CF43024FDE78CDE6984204782A598A658B39A704BC4DFF0D852,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lo-LA\mpuxagent.dll.muiMD5=B16EA2ED909DABA1F1DE6AAF72CA1029,SHA256=75D899538C2D4DC4A8939677007D0E4E5CB895C18283B820652027E81D2FE6A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\lb-LU\mpuxagent.dll.muiMD5=540D69728262B6D0EA573760766F3D74,SHA256=73A8E841A41261F687F977A9267D2AED22FB213AC18A979986388521F2E27889,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\kok-IN\mpuxagent.dll.muiMD5=67CEC24F2A913B13EFFD516CC1C268B2,SHA256=DF5E390CB29986F9DE5DAB9A07C98B7E8900A7BEA18328789129BB7828B1D65F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ko-KR\ProtectionManagement.dll.muiMD5=6D0C780B43FE275E596379E82DCB8E92,SHA256=C59BAC91B6FFB0720CC2B870432C7664D1BED3FD87924CE69AB2F6B45944E167,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ko-KR\mpuxagent.dll.muiMD5=5E8643FA3B8DE677F6D8067080E997CB,SHA256=5B27A6B036C169C7E7C1958258E9703220E627B5771AC7A9AD8CD82D739CC5FF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ko-KR\MpEvMsg.dll.muiMD5=1327C65ED55EFF9B36558DEB38835CC7,SHA256=F18F5CD68AC4D136823E022122DB655F5B039B27932E72E8CAD58598F72A96DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.246{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ko-KR\MpAsDesc.dll.muiMD5=827B4902FDBC58E3D3F8B792DE127DED,SHA256=9F4DDE454C2A250E23B3DA294BCC60BB3440173F1615925976C211930A1C498B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.232{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\kn-IN\mpuxagent.dll.muiMD5=86B822CE9BC38CE46BBE27A5384DC80D,SHA256=875F3EA93784906E27D4DFBF3FE36E02EC884B69B583167B5F67FF2D49BDC583,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.232{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\km-KH\mpuxagent.dll.muiMD5=6B2E423EBF42BDB0AF71FE06E17B67CF,SHA256=8AE1A88C2A45733355C43200EC6B9C0548ED092E9AA8CCAD59ACFECCA8B3DF6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.232{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\kk-KZ\mpuxagent.dll.muiMD5=D92C5011F324331B87199AAB960055A1,SHA256=60A4EB86C6EBB9F6B1935F03BE9A68B0509D5352BC8987110ED2F01B85EF9BC4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ka-GE\mpuxagent.dll.muiMD5=E61CDBC7A03903C1FB46DBF483120534,SHA256=6DB928110D1182A49A69DFFE9BD1C4DBD2FD41ECA7F3BA631B4B02CA63B8DC20,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ja-JP\ProtectionManagement.dll.muiMD5=4BA4863398F9D3A14341A90340ADD837,SHA256=0911119BDE414FCA215CC8C941C1A3C64A8CBCC4447E84AEA5A33A52AABFC7E5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ja-JP\mpuxagent.dll.muiMD5=2F8D87418BE89AEC3E480603241645A0,SHA256=E5F3B15FDD277DE34F31C54399B3733C09948425E58F17FDFBCFFA3EEC1B753F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ja-JP\MpEvMsg.dll.muiMD5=D6FBB0AA6A8533D567AC5721572F5572,SHA256=B0B5F85E29C125667B21DE6F9A64F34EC0463A21DEB2EAD2E9E5CE0D647129C7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ja-JP\MpAsDesc.dll.muiMD5=428AD8639C3AD8F407B956A34F1639CA,SHA256=3038D8355D5427CB12B3991EA9CB4B4239F47476128D9D218EB460256FE170F1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.209{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\it-IT\ProtectionManagement.dll.muiMD5=777476D36AE3DCD67F0B513A78BABD78,SHA256=C8092FD81326BFEDE9BF52D35241885511D47EAC373731EA93FC0BFE07F01479,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.192{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\it-IT\mpuxagent.dll.muiMD5=7C4B6C01EA2973D7EBA9DC5329762A05,SHA256=F2F6B07B04669E8647233C23D1CBB8BC1C9BFFC17A4EF2D232E4047B6BEDBC69,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.192{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\it-IT\MpEvMsg.dll.muiMD5=5A3B2FC4401F36C9AD86C35EAB74758F,SHA256=6CAAE2C575EABF5EE1575A772AD8354A95BA844EA8FF7A8E5ADBD60B86707945,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.192{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\it-IT\MpAsDesc.dll.muiMD5=A19BB14BFAEDE6B935A682C9413D2801,SHA256=C7D91D653BAEA634320A32C8E8F026E80A901909D4CBBC892E06BDF13984C229,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\is-IS\mpuxagent.dll.muiMD5=6BD7423276AD46B3CDEF38BA5720008D,SHA256=890F7612900356F92608206602D2286E9DA0D3E6E32F3A5811A4AA0465C542D3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\id-ID\mpuxagent.dll.muiMD5=14DD9F68BB3CF706E82E604D92BC9667,SHA256=9D40D6072C054EF189642585E98CE6C0762C13B49C79F8A028B079EA8BDB987B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\id-ID\MpAsDesc.dll.muiMD5=9A55FE7C8FB7BCEEA0D68356C0FBEB22,SHA256=D68C14FDAD363BEACE5FC239E01AFA3EC94272F76149E30F8638A17409D52C6B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hu-HU\mpuxagent.dll.muiMD5=B8A1D06A635EC9117D631296893DBA4E,SHA256=F4D6AFE2C2700E08D0D2E87351C2AC40D098E7DE422E44F4F284F44A2684022D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hu-HU\MpEvMsg.dll.muiMD5=41CFE9742D1BCC8F83CF7BA42C53CA75,SHA256=90CD22C43F9FD84E9ACDA40960BAB35E5625677F6D6A1050BA3BE5D69A4D2CA3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hu-HU\MpAsDesc.dll.muiMD5=B8A9D8E07AB91A42DE78285BDD389DF5,SHA256=326B29389525D0DC4A3F4ADDE98C743F007A4CC6F1ADE965E172232BCA505BEE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hr-HR\mpuxagent.dll.muiMD5=AF0CAA0BA9C0C68A0B0063736131F7A1,SHA256=359874993CF50CFB8693C79F45CD3EC300380B6B858CC4173A230351743CF36F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hr-HR\MpAsDesc.dll.muiMD5=C73205CB1B0F4E1ECC0B152C6931DCD0,SHA256=8EC17FAAE3557271D819AB68FEFD7DF311BCCD499D143EFC09EDB91E4451F3F0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\hi-IN\mpuxagent.dll.muiMD5=DC1D0F133428B22F059B464C82DB1DE8,SHA256=128C0ED323C6E77FC35B6DAB82E39EE697E272585763FC229A8701D482C37B9D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\he-IL\mpuxagent.dll.muiMD5=D36B54F154747671C36BEC17F54A3B2F,SHA256=4A86ABB4E911B6B64F96C4AEB240AA3D3DB308A3A05622FD539E077414EEE59B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\he-IL\MpAsDesc.dll.muiMD5=7E436CF108E953CCA2D0F3237986A444,SHA256=026B28B226DE4257A845144732FCAB15D68AA07E2F4687400871039202B712D2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\gu-IN\mpuxagent.dll.muiMD5=78205A28B81F1FC7FD3DB33296114361,SHA256=857A85F9EE60452CB967E748B3637F866903596F6410B1EAF48031C6807203A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\gl-ES\mpuxagent.dll.muiMD5=FB4D8003094A4CE9DA7EC5464D99889D,SHA256=6343CC909DFFA4725FE8751A3056BDA0873A69912A34E4201217F0AE87A3DF43,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.145{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\gd-GB\mpuxagent.dll.muiMD5=5235873103D602D5D323B1EDA1997C65,SHA256=AEC8097CB4A2E91866C7F92AC8892AC14421FE25B1A42376634392CB3D9F124E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.145{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ga-IE\mpuxagent.dll.muiMD5=D6F9F55398473AD2E87C213B5EFF0BA2,SHA256=1724C7152D25A63C0286C64D196EFCC605D8A038D99E1E38F072FF255FC29EF2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.145{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-FR\ProtectionManagement.dll.muiMD5=3FD1F273261457EE40195711DA3ABD7F,SHA256=7D46CF096A43AD39D3301097A70151DBF1FB82D4F1118D0CF48EC06469E7D51C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.145{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-FR\mpuxagent.dll.muiMD5=3835EB2D1B94579B2BD9AA5358C5F66A,SHA256=AC82BC31108864BC48BAD4F05423F4D38A79BD51CFFEE02D0FFBDE7FA2CD8ED6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-FR\MpEvMsg.dll.muiMD5=B8B47071503A90228F91DE6CBB02E43B,SHA256=F0BE5FDED7115202E8745561C80AA3617FA6A953B97F6686EA1AFD6172294892,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-FR\MpAsDesc.dll.muiMD5=444EE6AD9F2968664663FD20594B936B,SHA256=425C83136B811898CC72649E44B3B87ED7E56F18B4C4B9CE9206BD6D387344D8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-CA\mpuxagent.dll.muiMD5=79FB0CE377B0A6982BBED4091753C195,SHA256=1827CA3C0AFC83B9A25C3D11EC795FD94A78689413076B8524DC73E4AD77FE8A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fr-CA\MpAsDesc.dll.muiMD5=ADB249A84DD01D20450BC41C93FE0C62,SHA256=F7FAE4DEDD9CD06548F257860F24B1AE27581D8854CAD5CD670079AA7B757E93,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.130{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fil-PH\mpuxagent.dll.muiMD5=26E79D3B4EC619A27CEF7BD83D4EE65E,SHA256=3E4EA9685922E3C0C5D23FAE7C6903286D914154B4C3FB24A936B959021A9DCC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fi-FI\mpuxagent.dll.muiMD5=8224DF9E2C464A75A9D16F883CBFD145,SHA256=71DA1F1BB23F20739DC3123D1DA0894F78AB34B47594A35B8B16CFD5C09A1407,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fi-FI\MpEvMsg.dll.muiMD5=18595D849EC73B7ED715E56A195EF1D2,SHA256=3FD4F514FDC757F689271E89A8829B6AC9EBC3B438CB25D7E55657EA6262C8D0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fi-FI\MpAsDesc.dll.muiMD5=37F8EA3627D07550F16635C31195CD13,SHA256=CFB7B894942678A326BB8C431189F59FF11936FD8702221400AF944A9664560D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\fa-IR\mpuxagent.dll.muiMD5=A1ECBE1B9DFC59FB9F27FA3BA6147EBE,SHA256=1C05760A1DE05EA9EE65F0E201439A046A6CF99EF99D1BA5B4FF674E8EAA62E1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\eu-ES\mpuxagent.dll.muiMD5=CC64309DFCB215ECD4DA00A93928A042,SHA256=D944744DB37364D3416FA075D0FBD00A35F8DD40FEB5C14799DCEE717FC38FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\et-EE\mpuxagent.dll.muiMD5=0E8EAB1D61EE07D242F1993030D2AE6D,SHA256=F3EE598C985D4DF84E7B910CC4E9682223E974CF8A33686ED6647A1A0D1F32AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.111{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\et-EE\MpAsDesc.dll.muiMD5=E64432BDE02CCD3C6B3CE7A1CD29DA27,SHA256=93D29CBFE7081F82324492FA46D2B83546244F39ECF99C1F1787883178139BBF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-MX\mpuxagent.dll.muiMD5=39E7324A415DD307F332D5EF4EFAE9A0,SHA256=DF7FB4E16EC395F8656CD2BAACB24DDC34A94339F59361DCE724B2DD09E79582,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-MX\MpAsDesc.dll.muiMD5=D62AE379CCC6AB86CA07F9AA8AF67EAA,SHA256=FD0442F13A8301FD17088CEEA425CAA9DDE2141107D901D2FE76763C77C9383B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-ES\ProtectionManagement.dll.muiMD5=D76DC5133FA900C28A449DAB4816B24C,SHA256=5F09FB7745292A7BF34800218D9C53BC1F0F5800ACD4BE1C38D9EABE1774A24A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-ES\mpuxagent.dll.muiMD5=D86B67572A9CEBFE108F14D07DD0D334,SHA256=68B5F5A11C980C6E9652641935A7C148B54F9E16842E58C286C1062EF8515B9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-ES\MpEvMsg.dll.muiMD5=FE37D2D4E452B272650937BAFBF764F9,SHA256=4C64CD3ED413623AB77A59B73ABAA1967A0702BC106F0B8382CA2254A6334325,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.093{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\es-ES\MpAsDesc.dll.muiMD5=8296FD160C769C86DE46BD9AEF62D942,SHA256=02FECD06A553F8E40BA138FEDD8F8C3049BA6D50898156941CED8574E27A76A3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-US\ProtectionManagement.dll.muiMD5=7D2B3FFF57D9D57273D3224BFFC9342F,SHA256=0DCE81DFFF29F46A1BD42B30CB9D7F8819DE598401EDAC156D27020AEF433965,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-US\mpuxagent.dll.muiMD5=571E7AE814D5201148573B00AB991580,SHA256=4B78F3AF4CC5135D0D75B5452F32B5C853E2C1892CF68F0518EEB6DEA8577335,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-US\MpEvMsg.dll.muiMD5=C138D75DCCA451DF4FB131DC350E3BD5,SHA256=0B075E3BEE07D8A595F9AFFF9359B0C0C5D1324F7D3ADD1E706823135BDCC5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-US\MpAsDesc.dll.muiMD5=ADBE721E9D27B348D982E8033CD2BAFE,SHA256=7DA1C35364A12248B551CA88FFA3DFDFC7384BA17F99FE244E92C6D03B9E4198,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.061{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-GB\mpuxagent.dll.muiMD5=1B9465A4455DE69F5931C50680CF4E9C,SHA256=DFA5936CF84A776A0D71793B41ADCE04642539B40DDC8E14803FE30ED164DA2F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.061{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\en-GB\MpAsDesc.dll.muiMD5=91DF6161B15135CE8196BA483D060981,SHA256=B803C9E1F0E2DBB86354C448796413C3E8C5070040A51E5958B6C7CA7AC7AB3E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.061{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\el-GR\mpuxagent.dll.muiMD5=2CD4344849D0BCF505ADE332C36F3785,SHA256=2EAAFEE79D53B76B660E9D3FBB234255850A7542B421F190C0A3DE4C92C7B5A0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.061{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\el-GR\MpEvMsg.dll.muiMD5=08747F805CC49D4928C0EB4D742A2F90,SHA256=62C3CC63854A46CA7415BAA7AA2E4AB3C508A00461D2C684F1D5588A24F0240F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.061{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\el-GR\MpAsDesc.dll.muiMD5=83A1CAEF812FA2B50E949212F72540DA,SHA256=29A92DFC89C67BFBF21E827FACF72259395E9A06198F331CEB7C2ED827C83A57,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.045{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Drivers\WdNisDrv.sysMD5=6235F2DE87229EA585FFE5DE39F0AA62,SHA256=572D59AFA2B0BF080ABC64604DF60DE696BBA397C98D84CC63A9E2A218BB57BE,IMPHASH=B2232D76DB16949062B092AC66B306E5truetrue 23542300x800000000000000060506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.045{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Drivers\WdFilter.sysMD5=77DD1735A9DF898C6956B14017375975,SHA256=98E4D84E679A2C8054C64F33B260EF1E65EC63BD4634F1518351A45F4B699ADA,IMPHASH=D148E8A715DE2CD7B90529132F014544truetrue 23542300x800000000000000060505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Drivers\WdDevFlt.sysMD5=F9FAC685628553E6D565AE4DE7246BBA,SHA256=50762F4493CFAE649B1CA996166BF1FDDF9543EC7BA9B1493A3A51371556E32C,IMPHASH=FFAB6852F7551B536A89E4E6E6DEDE4Atruetrue 23542300x800000000000000060504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\Drivers\WdBoot.sysMD5=650C6FD2FCBAD1011EDFAAD3CA25B5B2,SHA256=37987A7CD3CDB764B8517B0E5F3D2AC243A16683F8F516D62926A3261FB6EBA5,IMPHASH=4B7A0029980F4F757F052F90FE2D4610truetrue 23542300x800000000000000060503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\de-DE\ProtectionManagement.dll.muiMD5=0166E70A2E5D5FC71B0A2B25BB228B5A,SHA256=7F68C4BEAB8E19843CFA8A64DA7807C0D8F411929E870D29169C5F26B7ED64D2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\de-DE\mpuxagent.dll.muiMD5=BBE47E5DEE92A8B698CC32F08DFE96A5,SHA256=65BD31A281B902876682E2F0A4C4C351E58B9566D7145A6EEC9B2BAEC7993F4B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\de-DE\MpEvMsg.dll.muiMD5=0B3A5FA626030311614C2547A9EB5AC2,SHA256=1684A36E39A053BF44FD76B018AFF0BCA6906717E063CB77D07B6CAFD60C3E92,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:42.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\de-DE\MpAsDesc.dll.muiMD5=0E426F75FE1508DA5744E3CFD3DE4565,SHA256=7953274C4CD57C3ED51A70737DD79ACB77B5332F7990102DABEC8C88B9E674BA,IMPHASH=00000000000000000000000000000000truetrue 10341000x800000000000000035434Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:43.051{8EF30467-6B46-61E9-6603-000000002202}6721272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000035433Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:40.169{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50986-false10.0.1.12-8000- 10341000x800000000000000035465Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.910{8EF30467-6B48-61E9-6803-000000002202}30163816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035464Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B48-61E9-6803-000000002202}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035463Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035462Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035461Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035460Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035459Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035458Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035457Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035456Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035455Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035454Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B48-61E9-6803-000000002202}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035453Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.613{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B48-61E9-6803-000000002202}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035452Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.614{8EF30467-6B48-61E9-6803-000000002202}3016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000035451Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.333{8EF30467-6B48-61E9-6703-000000002202}19682340C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035450Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.144{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0AA7999160AC4BCBBB2C652DB52B2C,SHA256=6AB3C198AC5654CC92E9415CB385E769097FE3A5091FFED7F4C437781257375B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.996{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pl-PL\MpAsDesc.dll.muiMD5=B401083F2A501DA8336270EFC4A7C2B7,SHA256=42492C00E42DC745EACB8762A322EDB07FAFA8B75CA4F86B5AB296E01F5B5731,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pa-IN\mpuxagent.dll.muiMD5=4C850541D6D5FCD22D7EDDD326237592,SHA256=BCF712B90946EE922B6006B6AE2CB06C63F5759859D4ED8C33C193D3BF85D929,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\or-IN\mpuxagent.dll.muiMD5=67F1E4690049BF45075F47F5FDC3CBA5,SHA256=BAF327C320A2DF51ED3587970E24A63D15AEC602C8A04D737AF544D90A49F542,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nn-NO\mpuxagent.dll.muiMD5=1A054A4D4664B53B1E7CF3D41D636D81,SHA256=C8810C2B9C2F9A2CFAC2F796F3ECD08194CAFF4426F82306A8DFCF6CB55F768D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nl-NL\mpuxagent.dll.muiMD5=7E55F07806CDF92BB8E4A9F9A08AD113,SHA256=B04D0987135C5BE091154DE260E9656251A9FE56B858F6D7CCB7B8377CFE8CDB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nl-NL\MpEvMsg.dll.muiMD5=C7B03BDBE1B44F1E4D1A5CB31B0E3D48,SHA256=AEBEBF2E049BF6363458C8C27BAF50A5C3B5EC0306220A776E8B9E0042006FD4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.963{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9ED447B6D93F3521406CCA47F94230,SHA256=BD79A4D22DA5C6E8E0E4AAD9ED973F90407E8861B5421D7577ED6BD18A123BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nl-NL\MpAsDesc.dll.muiMD5=2BFAB6AB228DB7C31EA1375C9387AC2E,SHA256=812C33C9F36C5B59B7EA8CDAAB72FA3C9E73C2A2510D09C951294DBC324288A2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ne-NP\mpuxagent.dll.muiMD5=BDA62FF800DC54E78BE512A9817296A1,SHA256=8D9C952CC6DEA5BB24C28F020CE008800234D410202294D91978D26A73F9B7DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nb-NO\mpuxagent.dll.muiMD5=9C2A110EAA6FC97E3C5DA47646644808,SHA256=17252AFC4ACC242594F4B7E3658A46D42B613C3A44812F02FB493325C04ED4CE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nb-NO\MpEvMsg.dll.muiMD5=274F55B1372D0E00476F7317A6B18102,SHA256=D2F6EDD39F099DB01F16BB9FCE879BF5B3CC0D0E9D92452386CFF1FC48054B13,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\nb-NO\MpAsDesc.dll.muiMD5=7B7FA41F68671935365EB91EEA46CC3E,SHA256=7FE884436AFC67314E91AC08E437455E9D65A19E69A357AA4C8731F48A67A46C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.932{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\mt-MT\mpuxagent.dll.muiMD5=ED84C38AA2B7F9ABEC006A9FEBFE7EF6,SHA256=91F2CD6856DBD5355DD686D174273338689751DCEFB222BFB483A7B8A780A0DE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.932{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ms-MY\mpuxagent.dll.muiMD5=100C8A0F6C65E7E8758F4C21D343843B,SHA256=F8CEF87FED4E8A4A81E6730051EC7E5AEAC9C3D0A0C92A02122BEDCAAAFD2E1C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.932{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\mr-IN\mpuxagent.dll.muiMD5=0357ED34E45AC638376BCCB20686B007,SHA256=98B9926F73522499889C87DBDAB469584D3F1F227643D89673A4C615C4DC69C1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.932{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ml-IN\mpuxagent.dll.muiMD5=8152B5AE1D28F86FA4676D490C629B73,SHA256=E96B27DA4251B080A70E1BA9FB3FDF5A75E5893F64141019953CFA5979A20F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.916{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\mk-MK\mpuxagent.dll.muiMD5=E8E3CC331E4C2ED9110E6C482156859E,SHA256=AF9A7B8178531DBC899382AD925A341DEB154DFF92CB7AFD2B9040B3DCCEE6D0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.916{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\mi-NZ\mpuxagent.dll.muiMD5=DC1C80F841F208EA10819F7E98B8E318,SHA256=780D728F4432C48AD9FE89CDCFD763E0B4DDF55B96A5B7DE4DDFA4CF0006FEE4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.914{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lv-LV\mpuxagent.dll.muiMD5=8715A0A82126811B284BEB7048C9EE9C,SHA256=379B83B23F5251396461C2184AD74B2FF6C80ED83286DC35B072F42CDEBD4404,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lv-LV\MpAsDesc.dll.muiMD5=83EEA5727866C15FB534F7E793E9C422,SHA256=8CF18A0DF4955161E083B2D206D18FE559F546E63DDD8AAD95D6CF3743D9872A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lt-LT\mpuxagent.dll.muiMD5=0BD46E92BFA8B571696B42AFA026A788,SHA256=A0064AF8E8B9ACF8F0FD5EAF6C44ACDD0A5089CC4046302C4C2D878A83A9F2D1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lt-LT\MpAsDesc.dll.muiMD5=D0B875F11FE3E603D76BAA308C4A698C,SHA256=0C02077626100E0BF153A0B368616B0A0BD4D72AEB566776E6C86010800C507B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lo-LA\mpuxagent.dll.muiMD5=4F4D5B43666B5DD91A0E6B68FCCA841F,SHA256=460E8072BF289928CE8F1C3B12C37C4B7DBF764EAA39620425B6F9B1D753C9BE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.878{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\lb-LU\mpuxagent.dll.muiMD5=1F27380ABC9C4F1760B64C8255C7B851,SHA256=3DB7134485EE1187D68E438EB417B621F207941FB7754856E5F8E33298B64CDB,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.878{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\kok-IN\mpuxagent.dll.muiMD5=15737A6D66877C827870F413C742A329,SHA256=863B211AAECB3C2DED40E92C0953300F9DF8F03F86F4A422A878BC159057E8DE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.878{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ko-KR\ProtectionManagement.dll.muiMD5=661008A5CACA2888CE61A460FD39DD4A,SHA256=44A0C02B1332E44AAD10A96916B50CD7D75F4B85F487A33EAF93C19E613373CC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.878{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ko-KR\mpuxagent.dll.muiMD5=B184E8EC7AC67130DDE049B092D78E10,SHA256=A6B341E148C9DB03E3FA5358E9413F3FA3453AE7F48F978827124E846D1679F2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.878{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ko-KR\MpEvMsg.dll.muiMD5=07D2FBE82A3409F1C9B831AD58888E49,SHA256=F4A1F7766CE3A5F62A3399056C05F4E9EFBBA08D6534DD1826BDBE4A5F1B6C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ko-KR\MpAsDesc.dll.muiMD5=C90D96FC52F760C48925D72D1400F37E,SHA256=77FDC8A8421A1D89E3875A79C3ACA574AEB79248B03D04001722709F37DF48B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\kn-IN\mpuxagent.dll.muiMD5=7DD43D571370DE5ACDAC23F06DA931FD,SHA256=535843FF64ED6D4B35B3ABABB450F047095A6A89CAC67AF3C90FFF8DF48EF2AC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\km-KH\mpuxagent.dll.muiMD5=222698F0A8FDB2DB3C4594C96F88D06D,SHA256=1D325D6928C049E7AC1F00D49A4101AECE1485EAC92C1708480057880B759E2D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\kk-KZ\mpuxagent.dll.muiMD5=E686D76F881048AE5FBC203371C3C5AE,SHA256=DD171656AF7165FCD5055C360805A29BE92346894D57A8FCE4D821324D20BED9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ka-GE\mpuxagent.dll.muiMD5=1327C783EF90968165AA47F93277F5CA,SHA256=D6A461F6F468CAE22E658B67DD1CD5F7386AC09E01BC4423BF0014C1A441487F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.847{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ja-JP\ProtectionManagement.dll.muiMD5=016C9D563CCE5D2B4176C2709188D418,SHA256=CB5330A576444D21C9CF949804E652C9DDCD9D6645B867C0B6D040C41704F302,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.847{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ja-JP\mpuxagent.dll.muiMD5=36CBA59B6BD0814A082660074A450C8E,SHA256=0F684185EE9E428EA9F2CCB51179E7C7A5D79E4F08551AABA4F7B727945012F2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.847{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ja-JP\MpEvMsg.dll.muiMD5=3C0F43A583E39BD19364248B99976272,SHA256=2ADCB156C8FA238B255C91BA6BDF8A00E5FBF9B1065B1565238898BFA1EC7099,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ja-JP\MpAsDesc.dll.muiMD5=B5F06A74EC5CE97265CEB51C02A32E73,SHA256=3AE75A9C93E42FA79FF56AAE113CC205F4AA47A70F0432FE25D36503B7EED7A9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\it-IT\ProtectionManagement.dll.muiMD5=43DF5F29586F65873FD7DAC6A3406DB0,SHA256=2483CB01A9CAF7A5DEF63740E640EA1648A2C9426C0D4448BABF9966F4FF5C16,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\it-IT\mpuxagent.dll.muiMD5=F5E020993CE8C7E9A39D9B3AE51EF265,SHA256=EF5FC01D0D44B6FBD6650FBCC42E0C5970D78860D56A75B7A64DF12F268A307F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\it-IT\MpEvMsg.dll.muiMD5=49C7FD7EC07208B37F4424510B4E9F48,SHA256=E3EB3FF9F364608A5CFCFE951FEC413677EAE7E762916F00D7557C35ECB3D238,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\it-IT\MpAsDesc.dll.muiMD5=2BB4AF4AAF157F9023E6DD7BD9A22037,SHA256=29441EF84FBDC8E45104E145F630487A42E72B1EDBE974C50BE153D25976718A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\is-IS\mpuxagent.dll.muiMD5=CC63D7229B687A0555A6F322B6CDE68F,SHA256=F88DE4EE2D61B50477C889787BDA48816B680DE2107A529178B82D3FB39D5AE3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.815{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\id-ID\mpuxagent.dll.muiMD5=E02E26AAE92139318A7134A0A79D55FB,SHA256=35A9CD12B369D0097B6759D84F8997DDF2CD1F95E5AAD8D49406E4B520ADCB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\id-ID\MpAsDesc.dll.muiMD5=85943C2EBB43E9B241F2D884280E84A7,SHA256=8B23C55F41920D3A8FC90E91E36372DD1AB044C81BFAC26324835F2E22AAE511,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hu-HU\mpuxagent.dll.muiMD5=1BB3CCDB0E85433A5AAA47FF46A232B1,SHA256=9A2682B2E05A9A42631D0D610F7DFE24088965694DDC363B3F76980D5F37C72F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hu-HU\MpEvMsg.dll.muiMD5=03C904D55257A07D037BF817AF55034A,SHA256=6FB1574D6647A6B8B1DD19CFC377091586677EAA1C60AF55FE130BE823DD8995,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hu-HU\MpAsDesc.dll.muiMD5=54F0DBD0C33802353A01CE3FC78D8839,SHA256=B8C5E09B04156FC7D6B3CB91BCD78E333FD333D6661A8A06FE2C79F967EDE194,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hr-HR\mpuxagent.dll.muiMD5=CA98D8B7503D61A0159675BF773BAFB3,SHA256=99C3BABEA53C2E5CB99A4FFEA8CEBE244D0D9D750A9382C100DBCD87B758A4F5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hr-HR\MpAsDesc.dll.muiMD5=FEE0B18D5A27CA7E46150E58D28E3A1D,SHA256=81DB7BFF60679B56D75C15397ABF0E546D5A320BD44C6871008079ABD5C696C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\hi-IN\mpuxagent.dll.muiMD5=4711697C3001B09FADE00AD1CD52A220,SHA256=BA4ECEEE4C14EF4D7E0B0C31E8DC8B2DAE4C1668EED9318A89A8E9B4E9AF17AA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\he-IL\mpuxagent.dll.muiMD5=9AC12A9E955057CA687BCB20CD0664D4,SHA256=A8F5B0D1C508B9FD92D570989B04E6B1CD7A17E3433BB9F1A424E31BA546B516,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\he-IL\MpAsDesc.dll.muiMD5=B9F6616413FD767904C0F7280FB6478F,SHA256=E2FFD9E7057FAE276B32187106310FE97249AAFE6BD0AA2E7C569C0023DE9910,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\gu-IN\mpuxagent.dll.muiMD5=A82039F34DBE3059BAFB353F15B821D9,SHA256=845CC18711421317F21FFD6ED981A55A1DFAB439F6254E61FDAF9238A02B37A3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\gl-ES\mpuxagent.dll.muiMD5=96F5728002472BD841A76FAFED8D7ACF,SHA256=65E0787EA9E028645FBE028887FE781E1BD225B58D529786FE24D4E08C56FD48,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\gd-GB\mpuxagent.dll.muiMD5=4C4A804E15C9160284C3D773FBB471BF,SHA256=21FB2524F6F01AAFD47A176A0E3D2654EF2EA425A3CC08D0A2CF87ED9517B973,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ga-IE\mpuxagent.dll.muiMD5=2FADD9CFB5B7F3FE58E9062CD42F99E0,SHA256=52CF2CD46ED43B59C0E7F431F54C1E5843A1AC7D297CF8B9DC0C0E59FEBE6D60,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-FR\ProtectionManagement.dll.muiMD5=B3C206C579FDC4E0F136F666087A1A59,SHA256=115A0E34AE2005A5F0605C93CEE01063C0A43A357D3D350D5B388331E5C286C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-FR\mpuxagent.dll.muiMD5=BF23D36F68C22C68FB4533BF2EE4FBDB,SHA256=3C75EDD06BF72FE6358159EE280AC2599B1464B3AB1DB62FB6B890439BD20F83,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-FR\MpEvMsg.dll.muiMD5=CBACDD811B404C10F44B33AF6B551314,SHA256=0F18FA664A157462A28628ACFF0E44821D4B2B59A9264FBF65EBCB820CB2A2CF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-FR\MpAsDesc.dll.muiMD5=285926E7F267F44F5A8A4D39FD6F3F9A,SHA256=0FA9712825450FD5554AD735C082386F9F981FAB952E0401E963300D8D8EC77B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-CA\mpuxagent.dll.muiMD5=9112D2D8149ED6D27D8CDB1A59318D96,SHA256=4FBB2359F2E3D046355EF7F67A14358924C5F307344FD01AC5F9F469FDF0DDCC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fr-CA\MpAsDesc.dll.muiMD5=D0F5A473AC62E4D9F4D84C991501D736,SHA256=D8837AA791AFF1175ED7BEA92AFEA813A4068A94498CFE29F6C1F4D81811F35A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fil-PH\mpuxagent.dll.muiMD5=63F04EA51006BDFAC0E72FEC77793AEE,SHA256=C41D10191277F54E2F19A9D0B96BBD8CF46593B0C945F96FB10F5EDB7D2275B1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fi-FI\mpuxagent.dll.muiMD5=8091855B10B231F0C616288DC931D144,SHA256=F4301EE452564C53FE442B8B82B2A6A3C43BAA14BC0A65519B5E5CD45BAEEC6C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fi-FI\MpEvMsg.dll.muiMD5=6D873185C391DF16629C6A626599A0AE,SHA256=9CF04577CE63847CC91FFADE32D8E89A75DBEE357BEFCDAA5F35BBDA944D86EC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fi-FI\MpAsDesc.dll.muiMD5=A9E3A9CE00F86295071DF298335F6C06,SHA256=88BAC39E1E1E0D987893162D8828E717CA3B9CC0CFB7A8314D98EE9F8D837104,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\fa-IR\mpuxagent.dll.muiMD5=4DA0DD6B78BC8FFFC216EA883E6DC6C2,SHA256=403C709C2DDCE26D5CB837236A141B42466B271B24757529DFF64D2D8174D4D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\eu-ES\mpuxagent.dll.muiMD5=67AC5B49C88380DB336D06CF1ED3173F,SHA256=9E2A0FECBA2A37EE285CE2768D1209189D9250EED0C936EEE301EFEB5C96F7DF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\et-EE\mpuxagent.dll.muiMD5=4A884A0F57FDBE52EAF0D87C581FB234,SHA256=3F0CBA6196FAC14F53B99746013C0D0B825B9BC02A1335284CC6B51559EE0ACE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\et-EE\MpAsDesc.dll.muiMD5=927FF21ED30775A8E85D131217C9D237,SHA256=B15DCC4C08E0852FC4DB69690630088C2B2BFA095BD57FEC08A559C085D32D99,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-MX\mpuxagent.dll.muiMD5=63B754BE7F6DBABD068C15B39CE4C113,SHA256=EAE30810FAF0488B162E1E755048CF93002A9865E213AC97402FB7A3B9ED8394,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-MX\MpAsDesc.dll.muiMD5=5C35173FA74A3D672A56CC543A32FA5A,SHA256=3D6F9B57DD78182D5C68C2030394E2A2FEB3DF71FC9F789F6A7A24C58A6BFC66,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-ES\ProtectionManagement.dll.muiMD5=8A9DDB06A8571FAA347655E6C42DCC3B,SHA256=028CA6F190BAB7952E0DDFC77496A61123B752AB35702AF68C0A9A75A3C0CE81,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-ES\mpuxagent.dll.muiMD5=042B5EDB16226FF87B31C1EEE0919947,SHA256=9F728A89F7E3929C7A787496E84D3FE6006DD284CB8A0DCAC8BC07349E889625,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.715{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-ES\MpEvMsg.dll.muiMD5=1405D597CF11D85A22F85976119B6FE1,SHA256=84D02E2B3094B0D28107DA7A4E9AAF4248AF6727B8C15875CDA6A3874A8A9E69,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.711{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\es-ES\MpAsDesc.dll.muiMD5=6A1D6708A2926479AB25C58A2F1E78D5,SHA256=E72CDCA57721651D1C787ED2B67D7059D9123DC7A71A27241F6A57285EA0B135,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-US\ProtectionManagement.dll.muiMD5=F50AF044431879E0D89FA35750944411,SHA256=C22A3F2938DEAF607461C1863306CA6265F26C6DAD758D4B9C06A114711D713E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-US\mpuxagent.dll.muiMD5=AE09146725377A5CFC93F2AFB266D988,SHA256=9EF5437EED8EC59D55DC2CD5B3FCCEEB34587213202C8D4C89537569D132A320,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-US\MpEvMsg.dll.muiMD5=DF0918B0EDBC7B3ECC4D16E57ECAF80F,SHA256=6C5B089AC989E1341C520CD158F27CE203EB2C0147BF58628ADF3E5B0B7C1CFD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-US\MpAsDesc.dll.muiMD5=187C46CB061A1195628F6B3E4CC5CB94,SHA256=6040A5971CF7C9538AB347FA9CDA4067A11D7B159557341BB6E81B4CFC3115BC,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-GB\mpuxagent.dll.muiMD5=693CE8ED1E84826C547DAAC802C98A2A,SHA256=CBD7D1BFAA7D5FDDBF51113432BB9320184CEA5E93FBEBC061A247CEFAD9FED0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\en-GB\MpAsDesc.dll.muiMD5=8A798EBBBC7737507AD7D51ED468A5AD,SHA256=96A8EEA3E7EBA64442A6D0B70B483DE164A5C248F6A598AC925435A6FAB54BA7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\el-GR\mpuxagent.dll.muiMD5=EF22A37059CD990CA97F246C417472FA,SHA256=6D82FBB32A867DECCB922A2F376110003CFE24C3BF5621BE58A24316F8C8AF80,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\el-GR\MpEvMsg.dll.muiMD5=FF87B719FC9B61CD168D95692D417CAD,SHA256=BB8A4C321D817BCCFBC0D30FA1B947430A39A8182559DC8199E691774519B76B,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\el-GR\MpAsDesc.dll.muiMD5=79E17EAD71A9B8D43F653576F201A0D8,SHA256=E2F6C603C69BA2A2DF791BE1B38BDC3C7CB09DF829FB1375DAFD96C5AE65207C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Drivers\WdNisDrv.sysMD5=1526B96991A61A91A8EF39D2346A4C4E,SHA256=63985A5BD74906F7AADF22BC60C9694AE2B77582DA0A8DCF9A35AB6018B19849,IMPHASH=B2232D76DB16949062B092AC66B306E5truetrue 23542300x800000000000000060725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Drivers\WdFilter.sysMD5=8D341CCADF5FA9C342D03AB71C163444,SHA256=88061DE952D44FDC17625E0B779FFE9E144C3933D21D2B9C54322CB871BE5F9A,IMPHASH=D148E8A715DE2CD7B90529132F014544truetrue 23542300x800000000000000060724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Drivers\WdDevFlt.sysMD5=EA7BD4E901D5B77990B131E1B0FFCBBA,SHA256=87AD5AFF6B14B603708217E2ACCAAC50A8D12251AEC0A7883FD5B97292889ADC,IMPHASH=FFAB6852F7551B536A89E4E6E6DEDE4Atruetrue 23542300x800000000000000060723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Drivers\WdBoot.sysMD5=F275B59876FF941EA4C2AB1AAE5DCD9A,SHA256=A3087A5FC5A617DC951001B5C210BC275D97806629A8DB635A6A4E33DF99AA3F,IMPHASH=4B7A0029980F4F757F052F90FE2D4610truetrue 23542300x800000000000000060722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\de-DE\ProtectionManagement.dll.muiMD5=E735FDC4511AC3B5A9CACFC371076AEF,SHA256=C7DF47BB80C160ADED39A0148DAB6A9CFDA612D3503ADEF65EDEC0EE6180A25C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\de-DE\mpuxagent.dll.muiMD5=1997595B05B49D3B2C65CAD659F5AE8E,SHA256=FB6A66079DCB5163A4E59DB6ADF788C31107222BA7565026117C4C8269A1EC56,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\de-DE\MpEvMsg.dll.muiMD5=4F4B6FA818D9296DFD2C50E9FC8E3148,SHA256=5ECD0436B6A03F3492E8F49E77EDBB9980930026F901FA7B9320A977611F0519,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\de-DE\MpAsDesc.dll.muiMD5=332EFC7E9655C17CE7B72BA2FAD9B8A8,SHA256=B9E56473D315682FDCA6A1C40D4B6074863D2B4D994CBC57540FE77E4BE0B7E8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\da-DK\mpuxagent.dll.muiMD5=7E79B3585A5EAAC5ABD4225BABD5CD15,SHA256=F0B45691C00E5B9533BB3386453B1DDAEA68060E5F03E391D8B98F74FCD09B3E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\da-DK\MpEvMsg.dll.muiMD5=251AC3CD9D8AB20DDF64636DB63F3DD0,SHA256=80078A983E83A160602EE29B9F9176003810DD018680E9DAD0B02456879E4D92,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\da-DK\MpAsDesc.dll.muiMD5=6BAA1DE1B3CC2FCC7695F8FEC043BA37,SHA256=033A1FB10B2CE94260F72408E22A68BD88DDE3459A15826C9597E7981D801467,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\cy-GB\mpuxagent.dll.muiMD5=D476A8CE57FE38BA7F1E12DD496C23D2,SHA256=C5EEE24874C3F4F98DD9B08AC6D0EAB0D7622B00E546FFDA993A86173897BA7F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\cs-CZ\mpuxagent.dll.muiMD5=AA080DB759BD98AF8A33E851EE5078C7,SHA256=3217722393E01E8616CC6CD1D63B32931342F0CF28754C1AB3A1F8FD60966E25,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\cs-CZ\MpEvMsg.dll.muiMD5=A0A5FE002EC73797DA31CF029C342E0D,SHA256=7D59200CE5541BE46C0ADFD9E94397151543161E507A5DBA5A751690F5BFC010,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.615{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\cs-CZ\MpAsDesc.dll.muiMD5=7CA2154A8C6E6FAA29554C0F8F9FFF84,SHA256=4EC3E83EB3A3D943F29918EC29B0CE6B9AC4A99021BF8D320148D4CF1ABC8009,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.612{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=510A40A9F96C842B7FE7FD5706512900,SHA256=5C6A3909C33831A080257818A53E822E016EA7EF380E4F445F0C2A2CE7D00DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ca-ES-valencia\mpuxagent.dll.muiMD5=700994B603A3AD4C63A73628363BA34E,SHA256=5137437407BA412E9D6CA0EDD1E42A519EB9A4749AFA86959592C2971BD5C5BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ca-ES\mpuxagent.dll.muiMD5=A2EDC36B256116D244EDEBCB9618A038,SHA256=C59F2084B4A938D2D5EB796C9A64EE998426A7EAE61364B6CC20733491CFEC28,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ca-ES\MpAsDesc.dll.muiMD5=434861E8B64AF92FE8DE8E9F90EBE587,SHA256=CA47D07911750AE7AB92B89829E22BC379EFBA2E86E8E59B274DADE31298CF28,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\bs-Latn-BA\mpuxagent.dll.muiMD5=ACB24B7EF7EC07681320B72D17086145,SHA256=E094025F7C0549C550846D878CC9EA493FEC2958F9F297734E295F724E8104FA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\bn-IN\mpuxagent.dll.muiMD5=9FA720C93633B9E7909D82A4EA786677,SHA256=E44A23E6D0F4A8621BFD34F11DFC39AB433A57FEE3D3E1272574AADCF54D248F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\bg-BG\mpuxagent.dll.muiMD5=0A1571826256FF307B6A7B02F15A570F,SHA256=1342ACDBBE2159B4AB9E15E5246C962D5B2999E00E056A025C2B61816700AD20,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\bg-BG\MpAsDesc.dll.muiMD5=94D852744FD8BC979242D35799A73D13,SHA256=2D9C27EB93CA87C869147AE55678EDF9CB5E44AC2DA44D2DB3E5E3A37F848FDA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\az-Latn-AZ\mpuxagent.dll.muiMD5=D47D16550919A2A09BA7B196E983E5C9,SHA256=A330CF212D5362D529B907C0EED9C32D33096DE3E5D044B5A577C33EB4FF9E07,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\as-IN\mpuxagent.dll.muiMD5=704B97A099D74DE55B62BA93D2028770,SHA256=6F00A9E4787D9E37547185AD2D6B220AF416E79024C0F2A4D195F3A0A8FBFBAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ar-SA\mpuxagent.dll.muiMD5=11AF1EAFCF99F801247E5D15B307B37C,SHA256=A0D448C2117E94B22032CD58BC3740CE13286B4350AC172339AE702A832E5598,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ar-SA\MpAsDesc.dll.muiMD5=E6C0CA84DB6B98EED91C7FCECADA1A03,SHA256=98BCDD1DD54DBB1814B5C687AE917E70DD512395A1729DA0D290026DBA65E04E,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\am-ET\mpuxagent.dll.muiMD5=1ADBB96DFEF6ABD3E4B50F0920A82E64,SHA256=41743F683B41DBAC3FCB3A1B42261224741498A153A36EAD568D039867F81AC3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\af-ZA\mpuxagent.dll.muiMD5=15DB2943DD1EFAA4734F8F77939A30BD,SHA256=D554657531449828477F4B5033073CA2C318028528B557573F7E931CC5E5FD6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ThirdPartyNotices.txtMD5=CE7313760386B6ABDE405F9B9E6EA51D,SHA256=73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ProtectionManagement_Uninstall.mofMD5=72D045707D108D55B76CD70AD9A84AD6,SHA256=30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ProtectionManagement.mofMD5=D9619BB89523F47C88DC5FC8BEA50BA0,SHA256=3ECDCEF5A04C90CA1EB296F3AE4F1C5BC96C371E84BE927C25FA64D6C74C34AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.548{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\ProtectionManagement.dllMD5=6961741616536665EA08B42A33CC4661,SHA256=5101226F1C66F21801910E1DA1292E197D0EC519D47C1F9BED4A9CCB6AA85B71,IMPHASH=9FC00988A6134F08C0D6DA8432A3B141truetrue 23542300x800000000000000060693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.548{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\NisSrv.exeMD5=8B681478CB2CDAA890038ACD61D89521,SHA256=8C0181F0DAB62F42F98F8DCF5799594025091519B70C57726FAAF04644BD989B,IMPHASH=1A1A6C24B2E22725BA69163837D402F2truetrue 23542300x800000000000000060692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MsMpLics.dllMD5=3A0822C50B25F60F6BB3258DC4E7E2F3,SHA256=BA0768BD9992936F57DD752CD273F6817A3B07954DDECEC5AD91F4044FDD82A3,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MsMpEng.exeMD5=60388873132DD881FB92F5B4E887FAD2,SHA256=5F7EDBE04ED4A7F616AAE597E7D0AB0D2E9DEA30F70601F80BD45141DA5FEEA7,IMPHASH=99C98AC382B2B1D56BA3D07EBC95CDEDtruetrue 23542300x800000000000000060690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpUxAgent.dllMD5=E144F02A93F5CAE8E460EA5651932FC4,SHA256=707EC580499BC3D12464ABCA3573211033DFB93F3EAF5C1B8798D611DDB63753,IMPHASH=32558E4AF479B2A1D13F5DA57D6FD400truetrue 23542300x800000000000000060689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpUpdate.dllMD5=4BCF3530A3E32835BD10EEB2573A4092,SHA256=7F6780AA7CCCC12D7335F7D0F3DA69D39D17984F816BE7D2AB4A273B8206A76A,IMPHASH=61AE0536E72E995FE5058EEF5884ADA4truetrue 23542300x800000000000000060688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpSvc.dllMD5=F2C455102802A5ACD50E11461AC60443,SHA256=CE93B78AF09312AFD942B3244A5CF82F1E2ABB229D539D4C5D293EDF0D7F6ADD,IMPHASH=869A767128881B43010343A3C9F41E4Ftruetrue 23542300x800000000000000060687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpRtp.dllMD5=B2BF088D673A41015660F06122544306,SHA256=DD0F7E91CC8070701CFB6E5AA8D396BA4EC10293070A2A39CE734CA933B4A5D1,IMPHASH=284241B97D473A4D0B3D15E1ECA07B6Ctruetrue 23542300x800000000000000060686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.132{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpOAV.dllMD5=1EFC781902A9A6D9B41A637D6D208BD6,SHA256=69393FFD5B8CDF374EA7A98AD71796B2F51BDB70313F43FFD319E90FB54C0A2B,IMPHASH=03EE692DE6217827EFB332DB1F358A4Ctruetrue 23542300x800000000000000060685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpEvMsg.dllMD5=2C4F5638B077C41E8A414EBCDDE3FB8D,SHA256=08548E5F0088B14904F4204F8E47A29A52B39DA7C95487290B278B40C27E5A94,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpDlpCmd.exeMD5=45F4A3E1B907587D70B423D77828927F,SHA256=46C1A8F13E5AFC84A647E2E00DBB604FAFD1315265AEB2CAB893995CF0722274,IMPHASH=73B146117A6C5C4715CD7F3710845C83truetrue 23542300x800000000000000060683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.048{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpDetoursCopyAccelerator.dllMD5=8EFA4D2FCF62C85B514DDEA02A52E8EE,SHA256=C39A8AE6EF502AD32437E942ACB790CD960F643D619F162B7417D62B1F1FE174,IMPHASH=F50111F80E604507B2C7408826513BE5truetrue 23542300x800000000000000060682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.048{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpDetours.dllMD5=881CDD2CD81AF69EF79188AF8F4F79AA,SHA256=BA946465B47B7F1014BE41FD49E37A2423112DBA833519374ACE30837C6A4FB4,IMPHASH=347E3515FA426FC23AFC3969AC2AA015truetrue 23542300x800000000000000060681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpCopyAccelerator.exeMD5=12B82361BE827DB8DAC8DEB7566E1A27,SHA256=1F0C41EEF553A8435D3A529B29AC3C0736CDE78F399DDF6434DC81A965821299,IMPHASH=2E64BE4FE96382B4D9FDBC155B3FC191truetrue 23542300x800000000000000060680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:43.994{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2110.6-0\MpCommu.dllMD5=56CE35BDA5863763F46170EF16AA16F5,SHA256=700E0C403CC24B6856F32B9DCA7C5C06A382229755B59FA30D24DB30B9211880,IMPHASH=62F06A360AD973C1B32B3050BFEE8E5Dtruetrue 10341000x800000000000000035449Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B48-61E9-6703-000000002202}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035448Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035447Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035446Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035445Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035444Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035443Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035442Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035441Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035440Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035439Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B48-61E9-6703-000000002202}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035438Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.113{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B48-61E9-6703-000000002202}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035437Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:44.114{8EF30467-6B48-61E9-6703-000000002202}1968C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035467Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:45.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5436D03B0F338B015F77C98570304A8,SHA256=96FF38BD293800D6C8CCB9EDA1D1A1E74B4577A1238DA619B3B22FD3B9039379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.980{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\NisSrv.exeMD5=77CD94DA15DE9BB02A3803626C999DF7,SHA256=A11B9F5D4FA4C1271BF06B56D653F0BD7FF2323C08A3654FC233D281DC51D006,IMPHASH=1A1A6C24B2E22725BA69163837D402F2truetrue 23542300x800000000000000060911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MsMpLics.dllMD5=B12C86137A1BA742738F7EAB9A1818BA,SHA256=D35ABBC49CE9750FBECEC13FDB8195409B085B4C8085D24BD91E73DF14E8E0ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MsMpEng.exeMD5=D8A7203FFFA4097D85746A2581B7D884,SHA256=A7C1FE30930D982D69CC263076142EDB451AE896B67EFBCA347B54E064C93BB9,IMPHASH=99C98AC382B2B1D56BA3D07EBC95CDEDtruetrue 23542300x800000000000000060909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.933{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpUxAgent.dllMD5=47CFF59698E78A319D18B813546BA512,SHA256=8656A963B5511B096CA65E3E9788D8B827751426380E0D93896B86BA05BCC7AA,IMPHASH=32558E4AF479B2A1D13F5DA57D6FD400truetrue 23542300x800000000000000060908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.933{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpUpdate.dllMD5=6D9E4BD858D0FD048EAF8B73159E7304,SHA256=A28883348988BFA82F1505AC6D89ADEF6769B10DAD86042E5E72C15A71E35FE1,IMPHASH=61AE0536E72E995FE5058EEF5884ADA4truetrue 23542300x800000000000000060907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.917{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpSvc.dllMD5=D038BA7B52FF15E0F7373460049321F2,SHA256=E0404F07E33C24D661FC67830B282C0CA0E64F22474ACA3E986B6D5D9FBCBEA8,IMPHASH=E6A69A0AD2CAB38614D078683A73C876truetrue 23542300x800000000000000060906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.880{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpSenseComm.dllMD5=C3F2809D797FD605F846D62B15835293,SHA256=C2D6474F9FB7CCB07CABACADB2784AADDE5AA3C438FFBE6BE4126B1AC5F4E4F2,IMPHASH=0C1616327A61C6B75A3A0F7F4F63D53Dtruetrue 23542300x800000000000000060905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.833{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpRtp.dllMD5=25C823829EBE564946BEE8CED618B656,SHA256=85A5C9E06A70F4BBFBE8F72F27ED3460627D85ECF1867DE7CB979FA776883444,IMPHASH=E267B2123A2B15425413A946734E72DEtruetrue 23542300x800000000000000060904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.796{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpOAV.dllMD5=32D965D3173257DE5E2BD5863EABB843,SHA256=8C07CBDCE785BA67910529F55A9A857877E691559ED07634426BA6EE8278B635,IMPHASH=03EE692DE6217827EFB332DB1F358A4Ctruetrue 23542300x800000000000000060903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.780{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpEvMsg.dllMD5=C82B528CEB56D361F292AE8F907B2C77,SHA256=06DE4F7606D61E202663929441D7D6E60CFB0AE982479BE36C0B5EDEFF98C84A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.780{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpDlpCmd.exeMD5=B1B5421261A9F0274434156111C7A0FB,SHA256=940FF74E86479C611D36403801F94576E42CE50C7080F4ECF4EF76D518CA3DA5,IMPHASH=73B146117A6C5C4715CD7F3710845C83truetrue 23542300x800000000000000060901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.780{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpDetoursCopyAccelerator.dllMD5=10BB9EF88771ECD9E3756B04D36F4739,SHA256=9FF6B5C36C317FC4F91481315F9216CDBF1006CE7026FB7A3162720B89123DA7,IMPHASH=F50111F80E604507B2C7408826513BE5truetrue 23542300x800000000000000060900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.764{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpDetours.dllMD5=AAD4064B21497E7336FEC522F183DB6A,SHA256=89D85A3DE418F8627D4FF5771BF7AA7F5E01894C9ACDF87980578B0F4910BA4F,IMPHASH=89C33082A62A5A6375336153F8B37410truetrue 23542300x800000000000000060899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.764{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpCopyAccelerator.exeMD5=A5ADED1FA195C016AAB89CB253C2073B,SHA256=9DAFA14CE9A36C1CC3B1D9910784657C2E8587365BCA59328B2B23D32B5A9DDF,IMPHASH=2E64BE4FE96382B4D9FDBC155B3FC191truetrue 23542300x800000000000000060898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.748{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpCommu.dllMD5=2DAD4ED3FC93427314D0735E63107815,SHA256=A25CA1BEBB54B60A4D5672BDE7BD27A660D83C7E155A8FE6EEA5F02C820B4156,IMPHASH=AD5E342A18927A2111489BCE81EA6EDDtruetrue 23542300x800000000000000060897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.748{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpCmdRun.exeMD5=3CCE296373EEC3D26440C30976CFA9F0,SHA256=9A8CD75B33515D8E25E8889AA06DC7FE2402F67762E7CF516AA1DCD790EE41EA,IMPHASH=BFE54B9A9FB809E3964F535FD29E3413truetrue 23542300x800000000000000060896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.717{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpClient.dllMD5=D914720FEDF21717A58BA74EC24C65EC,SHA256=D6EAE035E6A51AB6B7327D472120EF1666ED557AEB986441EC600D0B2D334507,IMPHASH=624E1189FDB72BC74D16BA15256EB0FCtruetrue 23542300x800000000000000060895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.695{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpAzSubmit.dllMD5=EE9619250DECB7B0DEF47537712DB87F,SHA256=5308801F1B784A27946C3E30BC026E4DF18D8D149220B679271B602FF7118927,IMPHASH=300ED5E63E8A71D34B395F9FB0DBF683truetrue 23542300x800000000000000060894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.649{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\MpAsDesc.dllMD5=7F998A9A9EEC218772883F0B69AA0E42,SHA256=5FC120E0D3DF0C03F9432F1D6E3CCC786636A39660AE140325EE7D77AE5B81EE,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.633{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Windows-Windows Defender.manMD5=36F8A68EECFB5B89C4C571F6A63E3ECA,SHA256=4D76246642181E38F87B623AF82BF7454050D05775F546506CFACA1608BE9633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.633{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Antimalware-Service.manMD5=59A726CACE276AC73893F7C998614936,SHA256=A8BE69E37EC346256296C55E571A26AFC0F60F1DF121A156DC5714B608C21B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.633{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Antimalware-RTP.manMD5=0EA061B68884A0E5AD4B1F4A93B1FBF6,SHA256=1F78E8C7AE754DA422F11439E732628BE78F8BC85625CF4EBFFCF64C536679FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.633{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Antimalware-Protection.manMD5=E4AD891E7B62475FCA109C0DF4DEF16E,SHA256=DF9AD93CDB61587A35FCDCE996955A64413439A474D85C86133A9E9C185D1966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.617{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Antimalware-NIS.manMD5=5562965C32F03AE0DF8B9DEF950F8651,SHA256=EA64BE59286B67AE930729FA92B2B08DCE5C2EAEB70FEABE2320C47FB6DDAC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.617{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Microsoft-Antimalware-AMFilter.manMD5=B6D65A86FC1999A62DA10EA3C4CAD3E4,SHA256=05B2BFD40FB3A344C3AE178C420A7FEA9595815CB1CC07843078112F5F551EAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.617{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\endpointdlp.dllMD5=2C43237E1D1377CF68470EED7D961467,SHA256=948563733E7ED68AB573A7C28382919A1AFE1E439EEF07BAC9B30AAA4FE095C7,IMPHASH=97B577A6A90A243C3D426A4000BED6BFtruetrue 23542300x800000000000000060886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.617{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ConfigSecurityPolicy.exeMD5=EA0F0D2BEBFD211C27AA39C73F74E916,SHA256=36973D49650A8F1405F4FBD3D7E0D0614F270524235C7DCBBFBE6FF2E83F86F6,IMPHASH=C1B5D6B4F7C8A5BCC84810A010E14536truetrue 23542300x800000000000000060885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.617{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA9758560E2248B66B7DD8102BE8ECBD,SHA256=617B1E2AA80B9F7A78DA2B83FCA3CE14F39068E2F6BFB907B08C078F25EA8526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.517{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\com.microsoft.defender.be.chrome.jsonMD5=60A2FC65D3CC1D3DE9ECD2C5319738FC,SHA256=6C6F52B13235148AF305BD614779EA885C00B64D0BB7CC764E3C67198CC524A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.517{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-TW\ProtectionManagement.dll.muiMD5=A6643FC514B4CC543B0FF3004DEC733C,SHA256=B8BD12EA29B3F76578C55D22768935E32E2655D87D9AD5DEDD98469C1914F829,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.517{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-TW\mpuxagent.dll.muiMD5=75E6F3057C3C1F565FDBB16B7789CF4D,SHA256=6D72B10E5CA074FFF2017F36A9E766A12F9A503BAAD5F8A87CEB36B6DB429233,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-TW\MpEvMsg.dll.muiMD5=3AA52A36DAAE30C57D5257B6BF9D631A,SHA256=3B8F18EF2402B5AC780AEFE62F5671376B952B50E50985586812C832C7D4BB01,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-TW\MpAsDesc.dll.muiMD5=A281DDC951C0E5075C724FA32C8F41A2,SHA256=FAEDA25066388EA48953094938A36F88B6582DD8AAD9532A9398B185A3623A05,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-CN\ProtectionManagement.dll.muiMD5=37B2C102377EEB1C9B6E1F3E7DE794E2,SHA256=66F9A289E579458A3FA83D6542637600B1DE9F2AFF2EBFC6C2A136A2F0F8A182,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-CN\mpuxagent.dll.muiMD5=4DDABBBA91F6AECE7BA569F25824740F,SHA256=F1D9A9C621AC9F45AAAE63D6626E48978297AE3157AB60209A54A9E1CAB02BCD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000035466Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:45.191{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C969794495D6F51E23E43A8429B5CE16,SHA256=7E17D1FB589C96730FA4305D39090A80FCBA7C4992873584D4A305C82B244339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-CN\MpEvMsg.dll.muiMD5=2AEFDEB6F51BE7C54A19071BE6D86CAC,SHA256=AEE4E2CA6D996A1F4FABCF2FAEF12FDB9D4A5674AAF2772142467F18451E0E3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\zh-CN\MpAsDesc.dll.muiMD5=0006D54713FEF461B95EB505018D054F,SHA256=66D87C7DF196DA1104FA392A87AD0054655AD3B86B6F56E21B47FBF24968D372,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MsMpLics.dllMD5=F00BF7A69846E54C17081105E81E1934,SHA256=8AF4179A985DCEFE8FCECBB0FE1CD902BB478B5ED60E5A2A884959F7C6EB52E6,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpOAV.dllMD5=D0DE21C310CADB79D723886DD8D10686,SHA256=DD4536C2DEB3DBAB2252C2ED4CB55AFD64DAA44DCDA099B84CDFDABA3D3F954C,IMPHASH=B153971B18B753F5A5050CE54B02C2E0truetrue 23542300x800000000000000060873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpDetoursCopyAccelerator.dllMD5=77F166B7E4CB414FED4E1EBE6AC66408,SHA256=E983447B05F5292A01A006E129D00C9CAFF1C0B11769CFABDC870FE5A7CE05B0,IMPHASH=74478D3FF071B77E9B32D63F1F5AA17Atruetrue 23542300x800000000000000060872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpDetours.dllMD5=010D1B6E9B46C2AB43DF552E541F53BE,SHA256=B19F2ABC0ABF67550204560D40EE1F7BB20DB0D8BBFA934E77DC396CA2A9B68B,IMPHASH=6EAF4C00742F1DF994A4C265382B3E0Ctruetrue 23542300x800000000000000060871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpCmdRun.exeMD5=4B139C1413DD5689C8D3BC3A38E52986,SHA256=17160C70EF219DC95499020CCEAB91E666B5004B86EC80BF3D240710480A8424,IMPHASH=D53B9A9284ED1C3789C06C4D975F8A59truetrue 23542300x800000000000000060870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpClient.dllMD5=F7D44EFA4C28A88E0DAF1CDB23CD2892,SHA256=BCD8C042D874FB3F2BC991654EE5DBA308343BB64BD3AAB9D9EC65E628888580,IMPHASH=0E644468AB17DC09175E735D79CFB0C0truetrue 23542300x800000000000000060869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\MpAsDesc.dllMD5=A2BB183B5DE2B4C0CE7C7C5AF37D9AB0,SHA256=7ACFB0BA3AFBEDD7EA11AECEB3ED795501BA8E3B59445AF6378753F6BDCD8C90,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\endpointdlp.dllMD5=D31B7BBF2A4E1F6727BEF92C51CDAC7B,SHA256=5FC33962B7872651D5AF1E7533EA38CE676F67F7D48ED4F5AB214743F59EAF38,IMPHASH=881E23198BCA1D0E73E1198892F9636Dtruetrue 23542300x800000000000000060867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\X86\en-US\MpAsDesc.dll.muiMD5=E358396AA763AD53BBFE691F7583101B,SHA256=6D0183EBF8ED1FB253BDF38765B3330E4A4E873710292E1F4C543589445334D8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.179{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\vi-VN\mpuxagent.dll.muiMD5=93546D11D843DD7246BA3AB3CE0232B5,SHA256=D8B48B820584C6D7A0D31DA479DE9A612E8082BE97599055A18A956DF56F7BA7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.179{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\vi-VN\MpAsDesc.dll.muiMD5=E0753E39A74376DA225485673DC44AE9,SHA256=307C6225372FBFC803CFE97572D94074C52B4D5B921262939D4CB520B2D5E92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.179{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D3EB9A74A3B202CE79CD4E84B4D3DF,SHA256=1DB3FD42B2BA989BB59B87DD91442A43E63119BF96300F0BDA45967B3B6077F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ur-PK\mpuxagent.dll.muiMD5=FB71CCB9A55BE6903211A2553F550CC9,SHA256=23A8D16236CC0DDDBC324A3B64B85547D3DEF0BA555D64C988D43526ACBF2DA5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\uk-UA\mpuxagent.dll.muiMD5=E567348DFFB2A4822F03AB6031E470F0,SHA256=2F48C04BBB10082D3341BFD0B5AEEB1D1E9E7A7B3FCD7C2FDC6F43147CE4DCCF,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\uk-UA\MpAsDesc.dll.muiMD5=BD2BEB6FE7062E7441E9343977F951DF,SHA256=D27B62A1D7BB56CA93E090F41F173C346124EE867DD954EF6F269C90BCEE96E1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ug-CN\mpuxagent.dll.muiMD5=7EA1650BCDFAE680998A4BFCDC9DC7E2,SHA256=8C69BBF044DED1299182AE18F542580592200C06CD30A04C16BDCF388AE04D15,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\tt-RU\mpuxagent.dll.muiMD5=A90BE8AE9BE190903F05BF5712AC00D6,SHA256=399CF9813A5C41D51F8A67BF38594E419F338074FE75DE39F6E1A2B217D465C9,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\tr-TR\mpuxagent.dll.muiMD5=E5746BFF43FFDE6F22726D8A3C55B359,SHA256=336D5B061F856216A91D36848FFAE9BF3B92E75C47C4009E0F4222536089A77A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\tr-TR\MpEvMsg.dll.muiMD5=DD7CA24DB33DB7E0FE85004DB7CCCAAA,SHA256=BD949368CA4CB8843FEF082AF3FD30FC53B863902C202FB001606F1EFF9998A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\tr-TR\MpAsDesc.dll.muiMD5=4E2E2F66DAFADE0EF18A779E939E6925,SHA256=F747BEC5848F875A723F68DFB0107D7B1812A9860178B0CFFB4AA360C11AD58C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\th-TH\mpuxagent.dll.muiMD5=4D62EFF18866F721FF0CAF0EF6A010BD,SHA256=CA6ED94A92BE5D0CC80775B3E6B6C0DD9C9988CD6A4C3B06841931BBBDB16922,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\th-TH\MpAsDesc.dll.muiMD5=2340C0D45E832BF04D8CCFF101ACEAAF,SHA256=A3CFFFD5E1BAB687121FD1DB2E2CD6F051A3A7603A3F2A860235B831AB58ACB4,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\te-IN\mpuxagent.dll.muiMD5=E91AACF39AAAB709F9C83DB237FDB5A6,SHA256=5F4D20D9F3028F3DD5CB8E576197EB32648A3584716020D581F9499219BFA504,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ta-IN\mpuxagent.dll.muiMD5=0C19EE18C124C7FEC312FD7820421284,SHA256=8C1875C00AD41E217448B0C600E67EA723BAB621458B6AF326D50758F320772C,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sv-SE\mpuxagent.dll.muiMD5=6DBF66E7553ADCDF6CBE512BE67081AF,SHA256=A18AB836593EB0BBFE63C6E12568B2EDEEDF7CD47C8BCADB39F06B696A555676,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sv-SE\MpEvMsg.dll.muiMD5=57DC0CEE83138B18C31EAA216C1F7E84,SHA256=A263FC60604A9C622DDAF84ECB93044F9CCF58BE849B5D3F131D522C55A9BA6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sv-SE\MpAsDesc.dll.muiMD5=241952F5D2761C2C31313F378134D6C6,SHA256=EC6A416EABF4492DF0D09A85AD8C23F0AC85A4CE01F3535D2283B2CC93E215F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sr-Latn-RS\mpuxagent.dll.muiMD5=8D1C0D1DC4BA076850622C57E43E108B,SHA256=373812B4F37D2738470A6DE2B5E8EEF04687E45BB7B8890EBBBC2ADF36FFB263,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sr-Latn-RS\MpAsDesc.dll.muiMD5=3276EAD25D3BBDC52EE082C9DA1F0B7A,SHA256=98288AFDA6DA9EC145558FCDE25195F4B4FADCA581BA5D89B9EA5B511DC4987A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sr-Cyrl-RS\mpuxagent.dll.muiMD5=59C61E98E128E47DCC24978A1AB31409,SHA256=D8FF8490B51BC6A2FC9BE1941978C1685AF2CA1908C64A2FD02FC6139FABAF88,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sr-Cyrl-BA\mpuxagent.dll.muiMD5=A10794F9AF078006A01637473AABAEEF,SHA256=6CF7B2D357B358AE91A377F972C5003F86524789629261D727D00898A0D1B757,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sq-AL\mpuxagent.dll.muiMD5=D916D4AF97C23DA73920A239459136FF,SHA256=EE3DF61A91C0853698B6FBCF7FEBA3E7A49C1BA547B014BFD3AFD2B8F999FEA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sl-SI\mpuxagent.dll.muiMD5=588B3FADFD391714D259DA1E672D9A3C,SHA256=3F410A4E228C5768B8765B745B601E0F8BA011E9E9D3C8FF467464D9FC99DEDA,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sl-SI\MpAsDesc.dll.muiMD5=A877EDA9E896B92554B7575D4FC6601A,SHA256=2149D5A86DBE070E68EF2D82CB299CF51DB0793C915AD59202CD2A817444140F,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.094{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sk-SK\mpuxagent.dll.muiMD5=C30FEA18E3BCEB2E57C234D3CC92BAE1,SHA256=BE6154269AD4C2EE16BFAD92B1C3D9C634B923AC9EECCD6B14338FB9253FF3D1,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\sk-SK\MpAsDesc.dll.muiMD5=ECEA9C1B9EB050C553C28960BC1E109C,SHA256=9F2595CA29A2C3225203AB4F7A2108F603143966643BD95F028C43D65A9AAB82,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ru-RU\ProtectionManagement.dll.muiMD5=75A77AE10A0FB99EE3EBD99B3BEF5412,SHA256=F2817378A44DC6E0CE67E21029DC316156C01BF32026D82995701F5247FDC448,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ru-RU\mpuxagent.dll.muiMD5=E7C767FE0B6E6B8CA1FF9C857224A1E1,SHA256=724ECE305261A4909DC5B6F0A7713EFA870322C6E90A4DF8FA9FCF2413FB5647,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ru-RU\MpEvMsg.dll.muiMD5=F5934A1A8B91FAC2B63903EF595B7201,SHA256=2FF8FB6EECBE5BF1964B6754993F2542EC5F15A36975C5D0374F69F9471F1C7A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ru-RU\MpAsDesc.dll.muiMD5=3AB8F03931F8F8988E3C58C099CFCF9D,SHA256=D5BE49E26B6A65DE5F9B82E63A39D1F1E966DDF8B306529083F108353D3F1DB5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ro-RO\mpuxagent.dll.muiMD5=214D87A4AF663C8C760FCEDDC59DA045,SHA256=76AF67985AF5FBED62A98DE0AF174466BBDC1511D4175773D3CF970A98478532,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ro-RO\MpAsDesc.dll.muiMD5=54E5AA8B1250D21B6BBCEFEA9FDFF06D,SHA256=C9F6923AEB37BE5BF4BD9E44917059DE6A36AEAD2D6F803D9614BE6E8B20FD7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\quz-PE\mpuxagent.dll.muiMD5=AF9E03A136080D8875E7A0FC87EFCC67,SHA256=9CAF77442DE09FD6D31BAF6A3FC859C59BB42A8D070F04811C2FC1D8D4574F4A,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-PT\mpuxagent.dll.muiMD5=62450641571870F4F025BD852B775F82,SHA256=C5CB4EA73C2C8C031804BEB1975FA44131CAB267B5B31E962D9DAE4F5DD71422,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-PT\MpEvMsg.dll.muiMD5=2DFB712E1ECAABB598427216D41CEB2B,SHA256=4BECD14441BCD5188AA970E4BCFF00D15D0AC6066B2DDF99AC59856F16CF92B0,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-PT\MpAsDesc.dll.muiMD5=A0F78F251516E721DDBE311B363D92C3,SHA256=8B5BF06EE5FE05C305A4CB8DE23576CD5D1ABCB384B9F30A925F481A313CA5F7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-BR\ProtectionManagement.dll.muiMD5=2F44A204BE50CA405B75C51CAE972551,SHA256=ABB117DE85064F1335D935AFA5A70ACD7139DB4027361C760844E116AB5A19E5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-BR\mpuxagent.dll.muiMD5=8F7A4D1BA20EC5FE22AB8F72E492780B,SHA256=5FEDF83BD8CCB5BBD1C3E2E06F3D0E9722BFFDE4B52A3CF89F4FF721104A1EA5,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-BR\MpEvMsg.dll.muiMD5=9E6582193C80680C38B48DDAE28368D6,SHA256=E22ECE4D4B21E5A323D9217655A514C699E8EDFC036F698DA92FCBC3DADA51C7,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pt-BR\MpAsDesc.dll.muiMD5=6567DAADB6EA86B36540B2D690DF98B5,SHA256=CE581EABC6805A2FCB9CF2B44EB37F9257EF614DA53EE1BEEACC00EFEE5423A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpWDOScan.cdxmlMD5=D9A490F7F4B69F4F154F0512AF068FCE,SHA256=C97EC11395B35AA1294293453A4BA33ACE50E9687F6BD5A5DE9137A18119EE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpThreatDetection.cdxmlMD5=89E9A865E87A4DCBBB7EA722195B72AE,SHA256=83727671BC4154E7FA2F2D1373FF6842AFADBFA485A051302B822C3C1DDB6E07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpThreatCatalog.cdxmlMD5=0322C1453159DE2333C83329D4258699,SHA256=8639754D6DB93FD8A4AABF06B87D218B9DE9270458BE1E6A38FE0A0402E97FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpThreat.cdxmlMD5=368447630A1F29A15B337DDEA1847A45,SHA256=4D7049ECCAE3970C041C5F70DA78C465CC90A5BCEC1C02D5F6CAFBBEBA1BCC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpSignature.cdxmlMD5=951AD18618A18F2EBC0C38A7CF2D48DB,SHA256=20F13DFFF8DB3B358650FF1D7FE33AE6AAC0A2884DFE764BDDA2C9EDE64409EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpScan.cdxmlMD5=D414B25B1D087BB77AE36A7FB648D1B8,SHA256=40BD053A87DDC3B144350935BE16F2E8AF332877A55ADB8CB5716516AB897B5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpPreference.cdxmlMD5=693890B31D01CABB17199EBA4CDFAD6E,SHA256=49508780628ACE108561DFB27B62CF918F669770AEB4F77A7C276C7F5E89AA64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpPerformanceReport.Format.ps1xmlMD5=5224C879069533594F957182C54598A1,SHA256=9533C120C1B00477DDE88A52629358D5BAF04AC714CE9563258B073AACF193AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpPerformanceRecording.wprpMD5=990729AD92C1325C42B04BC975ECBD57,SHA256=E796454FEE4CF17EFDC25DB5FEEF00A5D7C1B335E6C4B4FE996E8AD7CAB01BC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpPerformanceRecording.psm1MD5=F6944971576646F5A0CCCA406155FF7F,SHA256=6E933F757FCFD5FDAFF4DA1B02BA8104273F621B3CB67C6CEA0F12019B27D519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.996{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\MSFT_MpComputerStatus.cdxmlMD5=4EE29D71C991316C509F2704E1898CC1,SHA256=01845DA368E6EA6813F552D37ADB74F2DE1306A093EA8F0754A15A585D2D2E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.996{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\Powershell\Defender.psd1MD5=A984FBCDCCB917E0E6E19368C1CE6407,SHA256=7F2DC7F16F71411336A102A1F16228A65A137DCD592F0812AFE9D33DC5F67F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.996{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pl-PL\mpuxagent.dll.muiMD5=11638D258F50151829917FE996BA2ABC,SHA256=1389C318748423ACCDA73AF1E6190A1AAAA8C22A2C86E3C03AF16BF1D0155630,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.996{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\pl-PL\MpEvMsg.dll.muiMD5=761C0CBA4336B12A5AA0F2C880627F8E,SHA256=9A5528DFA98B2C431A01DFC430B782FCEE2A3E0B66DD001821D3EB7A584BFFDD,IMPHASH=00000000000000000000000000000000truetrue 23542300x800000000000000060965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\05A2C67C-0000-0000-0000-100000000000-0.binMD5=52D81ED854D8539263A463933AA9238A,SHA256=B783770BCE621CFDA1F22F1C59D53B33A543785DC09601757A6F3D3E2E6CB9EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\F1\F1B962CF2939030C15C91226D97B9EEB9649A04AMD5=CCE5005C2410A3E11E8FDBA5D42A5D24,SHA256=C3E02C76B3B0484AE3FFB71E45D79F0F5ED3837D44CA4999DDD1D5468DF09358,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\CA\CAC50F6B11D80BE2A0467166E0BA108D07410860MD5=730D5AB503DE35709DE99D7914D1429B,SHA256=2BB256392B538C1365BCA5CAF32E93D4875CCE975B761399EB4E4F98228D6856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\C9\C9C133660468FD1D9905F598F5052DBB01F42EEAMD5=0BFB64C70DFBE45EC596985D0F283E07,SHA256=86EFCED762A03840D63AEC7D9AD2DB12926719A722E1D9A91C74D37FD0C43B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\C7\C70AD53E38BCEC126D90CC89968CE3D4FC05100AMD5=E4A77B50DEA7BBA3710C67CD5D3298E9,SHA256=4C2E11B627AA35B13D91E4B60FE4CAF0FAFFBD933F13DC0E9BBF42CE1974CC50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\BE\BECD026FFBAA428FA50056A7BA0A990F009175A1MD5=9F4C197E74390A750461FEFC369E6AD0,SHA256=573D69DEC7277A300247A5986E4C5E86277C550180FBAA77D41F72E78F66E92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\AC\ACB1D7CE5E021B164F4FECF38080A056B91F8A25MD5=208DE6EFB2C8E905577DFBB0F7435D10,SHA256=824A954C45FA623747EC78DD66422B904FE8B180A18C37FBE07281157A2DC02D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\A4\A4BF3C62D5997AACD71E8754DB2F62B6443C58CAMD5=4D53CF31842ED30320686865DD70577B,SHA256=851B4A2501E587CDDCB4B4ECBE289FA6A270CE82CEEBAC6AFAFF3CE83890E0DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\9B\9B38C71E6E2B3B27351A904AC029F2834E0D25BEMD5=B1E3A09CD3D8E3D561382B94B6CF0F11,SHA256=E9823092435C8A3F676A81EE273CE132655D0B14C8F9D6C89C8B7E4B98840E24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\7D\7DF74B418160C15C90B31407CC76BFD757FFBE59MD5=B10F0C3AA065190C66538FD2E3D0903D,SHA256=84720CCBA1EE6DE78E8B6F2402EEFF47C1DD62EDBE0A844C344444468E9278EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\6A\6A9287E3C515614D3797D35528011E0754C1EAB5MD5=377661AC5332EB10990B16C0A69B9365,SHA256=D3290FD60DBF75E35F9990535B116576B63C8A1723C44A5BF566F621EA67E979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\56\563338B189DE230AEDF51B69E6D1601FBA40292DMD5=33CF85BB9F127BC00977D08F56E7B114,SHA256=EF27396E3529C199D6836B820B6476F0D72233B2302471099BC80B38231ADA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\52\52FBD0186882E6605124DFB4758D4E3508EEAFF8MD5=536E9DAECF442DE643AEDE99917C4423,SHA256=FB112358F53D6D40C301C83D7A64F90F2F67DB38294B7575ABFFBD28332E75C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.895{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\51\51C8A99C2ED44DE841C49BE026604ED72AA95822MD5=D4CA183D804602EDCFCBD72C46CE01A7,SHA256=5D74C9BBFEEDFE8A22D66C3E65DCE38AA819EE3A89F8CB9688A30F0F559A84CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.895{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\39\39A7038115AD1E578B15DD9FCB7772C1A83A898EMD5=CD581A93E42EB5D5C8F44CD2CCD33B47,SHA256=023A563C8C88BEEB4C6CECA3F2440FBF105AEA77F2649473F2F0749B8D752FB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.895{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\24\24FACE5B5CA39CE04CF462ADD690AC401051AF97MD5=9B2891268BACEAC52602819A4C31DEF2,SHA256=297AE80C6A1B2259A880B59C457EA994B916DF937F047027B4804F68C1DE4BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.895{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Resources\20\20A244C0440ED0B418F454F8A12ED0DE6A8BD6D2MD5=821F9303E3FE9F77F1D1A9C63458EA83,SHA256=4A976636EA6B4E42020A1FC707688E18B7A52B5EE3BCBAE3549E1413CF0EB46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.895{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\F1\F1B962CF2939030C15C91226D97B9EEB9649A04AMD5=47F08CAAAFF61CC97656D343CF54F184,SHA256=069B47A0AC2458E7A3E65A9782FD82D35CCF9462B7D731BC09F6B90DE30C2897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\CA\CAC50F6B11D80BE2A0467166E0BA108D07410860MD5=D0227BDC57A6C65965038A8BA8FD26CD,SHA256=059F7AE5C295C0963DB2F53C7D0A33C3CA119E9A66A5EA675B127179D83FE4F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\C9\C9C133660468FD1D9905F598F5052DBB01F42EEAMD5=E7CEAD95A779F0A7EE499163C058D9FF,SHA256=14BDAE43B5969FC6053316B1A28F96040F2E4C67A0B41BFC8EE5524271E61061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\C7\C70AD53E38BCEC126D90CC89968CE3D4FC05100AMD5=9146E32CEA706BA69566E9B1B12DE795,SHA256=5C99B827C9B5E887AEDD3FB9209971B6791CC3287F662FF2B8EAA87799F7A3C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.717{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\BE\BECD026FFBAA428FA50056A7BA0A990F009175A1MD5=5886AC9AD32545FBA00411FDF7838958,SHA256=F9293A366BF52F4E1FDAA5A67895CED7AF2E569525EC1E230022EB0DE671017C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.717{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\AC\ACB1D7CE5E021B164F4FECF38080A056B91F8A25MD5=A174E15DD8EBAFA822DDC85C127C3AD4,SHA256=04C7C5A1EEA9D082DF31FC992FAAFA61326B5C683B6A7E8846FCD415004B1F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.695{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\A4\A4BF3C62D5997AACD71E8754DB2F62B6443C58CAMD5=81102DB41ABA1759906575427A34B05E,SHA256=B0A32E078403E58DA7907F8A1B93269B1576E73ED85669744D8D286518F570BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.649{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61E669C86DA01EADD61A99C1DD3A076,SHA256=30BC50F505299EBFD958F2C29BF58E21C621623E0C0E0499524B9C17F5ABCEC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.517{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\9B\9B38C71E6E2B3B27351A904AC029F2834E0D25BEMD5=AE32B9E77C04EE95B05F1F0ECD75CDDD,SHA256=031DFCFCD6E85A6248D878A03048AAFC4870D1D964451FE12674C80B5E2B7E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\7D\7DF74B418160C15C90B31407CC76BFD757FFBE59MD5=35093B7AF4C34C52E4C5873CFE5BCA33,SHA256=C3E66A496C67784080A04EC4A0C1102D80B2EA94DACB6EF9C7BCF205F9B51B89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\6A\6A9287E3C515614D3797D35528011E0754C1EAB5MD5=2947C8305D120E32B1A67A0ACB763AFC,SHA256=40FB5672CEDB126B3D70CB7C19DC29C6ADAFF1FCA07337165F77E1218D8DBFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\56\563338B189DE230AEDF51B69E6D1601FBA40292DMD5=BA21D88A5B03019D57E5DDABA751F931,SHA256=404F56C4179E59685D3020456632AABF0DEE13D9AC40FDE389DDDCDC1ABD8D02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\52\52FBD0186882E6605124DFB4758D4E3508EEAFF8MD5=5A0D116CDECC94A66F6E8C1C6B14994C,SHA256=8F9CF0CC15EAD240BA34EA64CA520D5E092316A9984F87AC66171DEDF129F712,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000060935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:44.846{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000035481Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B4A-61E9-6903-000000002202}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035480Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035479Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035478Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035477Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035476Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035475Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035474Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035473Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035472Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035471Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B4A-61E9-6903-000000002202}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035470Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B4A-61E9-6903-000000002202}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035469Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.973{8EF30467-6B4A-61E9-6903-000000002202}2192C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035468Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:46.254{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED26641B9631EBD3026A2B24BC93EBF4,SHA256=22C72F4391D20F4E9ACA02162F87531E751D512284B9B0D97A8F45F923925B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\51\51C8A99C2ED44DE841C49BE026604ED72AA95822MD5=E63BE643CD57EAA3E04C7F8082974FF3,SHA256=EC9F91DF46923BC8EFFA3603DEEE383956953C6BFFF543D160DE997E8BA8FCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\39\39A7038115AD1E578B15DD9FCB7772C1A83A898EMD5=9D4E0789C0B4D9F59E55C6BB0C80680D,SHA256=CDA8A8380396CAA8BBAACD0F6C2D8590FB0BFBF89AB975636AF6F88C04B8DA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\24\24FACE5B5CA39CE04CF462ADD690AC401051AF97MD5=5A691A7F6AD7BF736DFA25CF0D0EBD4F,SHA256=7118372FE2583547A911A94FCEC55DA2344335C70FCD7A752277A71EDA9B69CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\ResourceData\20\20A244C0440ED0B418F454F8A12ED0DE6A8BD6D2MD5=4C03160737FCFE43A3C4700494C37AA3,SHA256=0172389EBCE4361E65A26CBCFE5DC34394C246DB528E0149EEFE5FA54BC726F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{E01AD230-00F2-4114-DB75-9C788D7FF24E}MD5=6D0E58420DA3F6608C3AB85C17F242C3,SHA256=3257699D305A927937F386BA2C0BF4AF684EA256B60F872771DB91202F2E060F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{DC52B15C-2EC1-5CBD-DD73-0026033674D4}MD5=C06B57E3D22182F44086B0CDDE79507E,SHA256=EB3331CC8C651CB906DB8781B4CFA9E1B1E4616EA003689B1736E05E31F8D58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{C8B4271B-7753-C4AE-DA75-2DCD3C27A0AB}MD5=5D88DEF616D7FBCF72C30768A03F4FDF,SHA256=D1B0DC9DAAF0751C658FA72BEE234A55A16D893ECC710DDFB742EBD2BA981058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{A59C741C-0B17-3F5B-C21F-EE1993E1E19E}MD5=93AE45B3AE2663DBDFE71988A6760779,SHA256=B920957F2A4A53B58BB2B535DC6353361B2AF8205644411DB21447830439B3C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{9CD7968E-5F23-B83B-A3A2-126CF8F3168A}MD5=14E435ECB0B6DFE92B7E1C7D5BDC4467,SHA256=F894515969F882A358B1F3122AB36D135112AC01119E2A5EA786640CB51FB6AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{830143B2-F526-C024-EA03-13DCD07868F4}MD5=425FD4AD38E512C56CD42AB0B11197DF,SHA256=2D660FDBF6ACDF6DB86DC67381056B651CD4EA50D92F4AD226C1C3FDF262DD66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{790D7354-EF74-7B90-6BD5-12E3B1F9A7EF}MD5=D5E92C3715AE2DFF62F0355BF5864A4B,SHA256=95C0BCAC81B777080EB0F9E6F1EFAC1B6641EE9E1B3260ED4CCBF166141CF509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{73788C98-8557-29B6-338F-8559E3DE4D68}MD5=B4466B3245F1E79C435923E7B180E571,SHA256=6EDF05C7632AA456D17FD27F9E6F2451AA4D86182EF4B687D8C93CABF8366075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{5814391C-0379-0644-BCB5-61696E94879C}MD5=4E65FAF03E72E09B37A16D4584F46659,SHA256=6668F207E30330E4CA0FE6ACDE15C8BE8274675B98078218D4730A8167E210DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{4BF2B463-7479-3DAE-72F0-FB54116DE50F}MD5=795339D17F443FE67F946748B235D322,SHA256=A399530FD383441427EE98542BF57AF62DCC8EB884C436B751FEBE4F6EC20A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{4951AB05-CB9A-E18D-0C55-EB74CFE11108}MD5=92D0D9D3AA7F51322B153BBEBF6B6646,SHA256=6A7EE758B14A3D001839BF247411692D159711763D5AA2C076DE657CC10FA973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{1E841055-9691-E4DA-4634-425E676749FC}MD5=D87AE4862B9B09B0BE35E6C1B4BAFF20,SHA256=A5E438C6E2565DE23429CF29BBC9EBCB50CAAB59ECC67104327515E9FCD78B3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{1C4E74AC-149D-39AE-B74A-B53F4CC32D79}MD5=89ACC76E63829B566EBA0164E6FB5F6B,SHA256=BD2FD026EEBA0D6DEBE33D84A7015D4FF4BB8C61848E16E9BAC6F1B6F469718E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\CleanStore\Entries\{063FD797-5F24-091F-2B4E-0269D13D0B70}MD5=2A4338E8DF1B698EA2F246434A626891,SHA256=D9C0AE540FBE575C6ED4D3248B28D003B84E69A92F1BB0AD7144F544C50B0924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:46.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ThirdPartyNotices.txtMD5=CE7313760386B6ABDE405F9B9E6EA51D,SHA256=73E26404B3571A9E859B3A1144F54C353172479586E0A23C3A7DDA0C1C0AE919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ProtectionManagement_Uninstall.mofMD5=72D045707D108D55B76CD70AD9A84AD6,SHA256=30A0AD834D7B3F4FB47010B4BB6905576792E83064E9DD858EABF0CCA17FC3DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ProtectionManagement.mofMD5=FF03FC94B051706C0B57D1C73933CD30,SHA256=93A719D665159851734370530A6224347159F0FA23B8A8F321123481579B28AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:45.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\platform\4.18.2111.5-0\ProtectionManagement.dllMD5=8B0BBA3117F23F81BDD84D68AEC65A92,SHA256=B5758D2C6C3CAB0745F4E9CF8B9D17BEF2CE4481C2A6438149297FFD6DA0514F,IMPHASH=90575EBCAD810516EE591F80A078E79Btruetrue 23542300x800000000000000061020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\B8567A25-0000-0000-0000-100000000000-0.binMD5=156DC2717159E8E3D647DDF0972E3AA2,SHA256=432436939963F14A60696143BA837E4833FFA7EABC7AEAFFBA5B9DA7863F5C9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\B650C107-0000-0000-0000-100000000000-0.binMD5=B507C72CD3F8FFEAA6183F22A81B1F7B,SHA256=B5EE7C326068B3AA2B71577F6EC1E51FB48DEBA462EACC4D32BC89F62F3C7B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\B33751CA-0000-0000-0000-100000000000-0.binMD5=BD4FE4B3DE2509E3128FA763982247D6,SHA256=2B3D0459345D0BBDF200DA449FC74A4B933692D21BB4F1FD83A52FEBDCAF3B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.948{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\B212CA87-0000-0000-0000-100000000000-0.binMD5=923E361C2575C76734C37B93760A2D64,SHA256=910EB822E5A0716B28AC885B197BC1D558F5DE44327D894BCF5EDD2A433B877B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.916{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\AF0BB9CC-0000-0000-0000-100000000000-0.binMD5=F0B9CE67A0C1808DFEBF4F2B5DE38A64,SHA256=ADA1989EB1078BAEBAA143D5FA8C10D2A1D0097D30E6C2C40BC4F74D038EDEA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.910{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\A84A9654-0000-0000-0000-100000000000-0.binMD5=2425DF2493657BDF573D07BC31BB562C,SHA256=45CBA450957E67B0A2414643656203BE8B428F3B345000DCEE2D2BAABA8C3969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\A73606B1-0000-0000-0000-100000000000-0.binMD5=5D098EEBF6A4C146C16B9F9532C6619E,SHA256=B3910C7A3B9233F34B7CA05898A40A0052C455ED2739978A0EBC530B6B63900F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\A25A66B1-0000-0000-0000-100000000000-0.binMD5=C651B40268A35CE1D11D9449EF78B3E5,SHA256=31C1FFF9FDD54C7431772F71919F28C9871C2AEE25B170CCB25641442F23E727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\A13AD82E-0000-0000-0000-100000000000-0.binMD5=514B197F0C53BD117CCA4B6F04BDB88E,SHA256=2A8BC7681336A857FDC3FA2EB1CAFE64EF0F6D267AAE1ECDC9C737037DBF81C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.847{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9D191D6C-0000-0000-0000-100000000000-0.binMD5=B77E7A17E7EBF57E78E25C26EAA55362,SHA256=78491EC6BBEE247172D757E7030A32D8FE86673313B59ECB55324B5FF3B3857D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.847{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9CB1988F-0000-0000-0000-100000000000-0.binMD5=517694A746641AB7F2FEA3DCB1002C7A,SHA256=E7FBFBEA6D3174A38F172E1847981C05D2AE5AB6617678864F7E5673F7561D7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9BBA5FC7-0000-0000-0000-100000000000-0.binMD5=3ABEDDE8C15719E9BAF1C889EE8C335C,SHA256=E0DE0BC715FA6F467A3D2E10220E129456CB8E084F71F1D1C30C29475758E4DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9A18D85A-0000-0000-0000-100000000000-0.binMD5=83B38D9D177E6E2977E441ECCFABA824,SHA256=64FCA2ADC210523BDA8593C707AEA6DA84B7B7A1E8A66E495ABD283EB42C7298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9752B235-0000-0000-0000-100000000000-0.binMD5=6CEE91472B6E83A428BAB4B79B90EA8D,SHA256=B611A35E7D4A1264833F7502B6DA9D6BA9D2A18AE08A39D9F7B6DC346F10AE09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.794{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01466C06860E1384B015F1706F173E6F,SHA256=CAAC79D893B5C72FDAC8CA36B2C0444327B31D870C66D9731EEE42681EACA675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\948A36AE-0000-0000-0000-100000000000-0.binMD5=99817F00627EC5C6F829742B2E7C270D,SHA256=6C52701A6627BA85F6908AF87C2353101B7AA1F09F4378A7B2FB246A23B0C9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\9255B24E-0000-0000-0000-100000000000-0.binMD5=3B7840F724537D572476854B14040B86,SHA256=57CEBCDBDED4AEF5C19AF339F4532013DFDAB1F6C7EA3E3F46FA2E1C62EBF235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.732{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\91A988D9-0000-0000-0000-100000000000-0.binMD5=916D01DB0A76A2F16C798E83266AFC68,SHA256=ABB9E631BF9B16CA2A62200903A3005BEB957EDE142D11CA4FC7D4DD4F3D2FE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\90A214E5-0000-0000-0000-100000000000-0.binMD5=D82B3F6F5AF0F9123F62A972C34A1829,SHA256=FC043E4C0ACD17D316D51C7D00055ABB96F42DE93A7AAAA7D7E4E3DDA90352A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\8EFF07E0-0000-0000-0000-100000000000-0.binMD5=287F319BB7092CF6330AB5002C992D88,SHA256=31539839841A978A1FEA98817E0B3755FC14B80BE31FA4FD34CAEEC9E420AC76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\8DB57C86-0000-0000-0000-100000000000-0.binMD5=A904FC9F2262C5B7E899679BB825F057,SHA256=FB6ACD22186EDADF7235BAD08304BA669DC318AE08D41F3C79FC08317339556D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.648{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\875E27BC-0000-0000-0000-100000000000-0.binMD5=633FA094DF8B916A32292AAF91D01926,SHA256=9B14700FA6490B370ACCBADCE2B2295BCEDC67C6F8B12FFE1E57BD8CBDE96078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.648{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\8247AE0F-0000-0000-0000-100000000000-0.binMD5=5D943950C109EAF534CC5C5FBD148A6A,SHA256=10DFCA1FD19B965B70416D80FB55975F94A1871A82136E9BC26B51CCA02D19A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\80A749DD-0000-0000-0000-100000000000-0.binMD5=24D78BEDF41336884851A80752DF815D,SHA256=633AB9EBC3CF2344CE9726EFF4348C61BEC6BE8F315F387A0A13A0B2FB22E5AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\7EEBD808-0000-0000-0000-100000000000-0.binMD5=0E98929FA6F2886DB1A99FD8E4716894,SHA256=EC2F66FB3217A0A9230E49D4C476A01377FE63B0DB1036C438E9EF4B238503F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.595{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\788EFEFD-0000-0000-0000-100000000000-0.binMD5=676E656973DCAF3AAE3A5F03D81267EE,SHA256=D74B2AE543F73A2210167D2F9DDC39EBB7824B2480BFD17090A2CD973A42F75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\76AA80CE-0000-0000-0000-100000000000-0.binMD5=E903C58E8CFA07E4223D459737C57BFA,SHA256=9933EFE99AF9496A0BB4D60BE583AA73CC0263E9D6BDBA027DD5C071E635BF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\69EBD85F-0000-0000-0000-100000000000-0.binMD5=47BEF9C37DD95E4F30127F4E841AD5B5,SHA256=91C2E8E269D8382DD89819A329FEE9082F165E486CCDF6022F9B42CDBF1D6A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.548{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\69825A4F-0000-0000-0000-100000000000-0.binMD5=B5EB40DC7A8112C61865978039D337AB,SHA256=CA7BC20922F740065222E1DC740A3C131CC5297D1F32CEEDD8833AE7E8C068A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.548{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\692D8A75-0000-0000-0000-100000000000-0.binMD5=962CD56312371C56106C2E97DC6345B5,SHA256=9EF8D285CD86F11384467AD3C9560D4043BA4810202C50D286EF6AA34D43459B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\6445F004-0000-0000-0000-100000000000-0.binMD5=2A1BE30DD51CE25EB42A483B4DA968E7,SHA256=61235E9A6070FEAF0A7161120A014A762BCAE8105B58F7802A057FBF4AEE2A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\60E60F09-0000-0000-0000-100000000000-0.binMD5=91D98C2FB69C01F10F8D184B1DCAD598,SHA256=D9F23BA8AD423D41A88C84CDAAE766DCA7FA67EAD84BFF4AE732FF137FBD1428,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\583610C9-0000-0000-0000-100000000000-0.binMD5=AD296B980DA22D0ED682A1917C4C1F4F,SHA256=C2FFE760693D38A8410B37B403DCD6A2F89C8C956ACB61B9DBA57E7E3DB77C9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035483Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:47.988{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1DE3DE7154AA632A4DF073BBBA97B28,SHA256=73B952020D7A0D7751E1CF9332299781E1B4A5B280295ED11BBF62B62CADC9FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035482Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:47.269{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5150DD16DC4540FD9A4DC8B35DA4B8E5,SHA256=25071EBAA759A497318C527EAA6F9A5AE6ABC7FD7378B1264029CE54C912413E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\547FFF31-0000-0000-0000-100000000000-0.binMD5=07A8E0323E3BF5B4C069F2AC87EA0CEA,SHA256=D7372B6925ABAD7B4E2807804BBC1C81AEFD967B7795133F2FB1B8AA61DF108A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\53975E6F-0000-0000-0000-100000000000-0.binMD5=CE0DCF08805464987B2504FBBB146068,SHA256=4D52CDB0B80128A34956F3A9890133F4E82B59F6BF1520398726EF27649118FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.379{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\4D79D64C-0000-0000-0000-100000000000-0.binMD5=EB0642116B9D612F91CF46FA9A0EC811,SHA256=7356924B00826C16215853B975E65194BB9D75449888B74D2508D8CFEA3ACA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.363{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\4B8F0408-0000-0000-0000-100000000000-0.binMD5=8BF6F5424F3BD1BD6483822AC1D005DD,SHA256=B74198BEE48EA775D35FAFB952FE6A2CCEFB84ECE1BEDB1F08669D7AE44D4E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.363{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\4B06CC29-0000-0000-0000-100000000000-0.binMD5=C1F2937225CED1B8A6BDFAC3796C25C1,SHA256=D985F08DA34FE34EA5441CBCA7FD47FD6941FDF2ADC4732B894E15BBC5B0838B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.347{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\48CC2F57-0000-0000-0000-100000000000-0.binMD5=723D76EC79D0E771FBE24FF9C746A857,SHA256=4DE737A13904133AE5AF425B545B6D315BEA4BDB148D62BE98AEE1EB331E5FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.294{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\41103BDC-0000-0000-0000-100000000000-0.binMD5=161E959688CC117F8E2EABD1596409D9,SHA256=E4F025929C4A721F9F621F483A6553DCDDFAD0F7761ABC4049047D810A5B5B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.294{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\3CB6EFBD-0000-0000-0000-100000000000-0.binMD5=1D4C805C11D5D62F316FAC2B5CED1006,SHA256=5EB6C2B8A1C365FBADE4B17062E5559B797661CD844ED50E683A3D161C57310E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.279{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\39DFE5EA-0000-0000-0000-100000000000-0.binMD5=599971CBA9CC60813683275AE755523D,SHA256=BFFD1353BD8CADE8F3515806163D9989ECF60E12C8D9493E64D5A21B1CEA8022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.279{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\3056F574-0000-0000-0000-100000000000-0.binMD5=282EC945EEBFC6909DE2E4BF7802E2E4,SHA256=E113891375034ECE263D55509BEF6B8831B4DAA4A3A711D123E80C2E4853F44F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.263{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\2F5B0B75-0000-0000-0000-100000000000-0.binMD5=FE7A9642082ABF3A5AF28C81663B5BE8,SHA256=CD352F67358609649546BF7259880FD48B7D52195E2AE52B626015C86980028A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.263{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\28ECA76B-0000-0000-0000-100000000000-0.binMD5=92BC1A04A7DB0722386872FA3565CCC1,SHA256=82DB5C0EC2B60B51ECD716CBAFFDA5EF60F21F51C9BE707570E3BCCEF7F7E043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.248{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\20F281CA-0000-0000-0000-100000000000-0.binMD5=450EFE1902D2D02CAC7713543634714E,SHA256=9E02E84882B9E6E516B028CAC2CD86C169B24ED91B490022AD959B0D58DBF92B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.216{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1E505DD4-0000-0000-0000-100000000000-0.binMD5=6AC78D081537195085D3541D0418D0A2,SHA256=69C2CC06CDC04B85B6570E14545C64F2BCFB35F8C8633C4BEB873E978B811A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\1ABDD9B3-0000-0000-0000-100000000000-0.binMD5=8CC1D37BAA452800BC42F4988012C9D6,SHA256=684D033C9540AB535D2BC28861006362BD98297DC68892BB7736C1B228D59684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.116{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\18AADCEA-0000-0000-0000-100000000000-0.binMD5=3A89A0BD18E5062B20B1F5188B191501,SHA256=70103A46383F67DEE391F9407CF7FCEDC67AE6C83C4AA11315367EC5563AA2F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.116{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\12B34F14-0000-0000-0000-100000000000-0.binMD5=FB6AF23B50D8668EEEA51F7BFF19717C,SHA256=AD92BAB3B28D0B3C99649F9EFAE15636B91E745DF2E37283AE8FE29936546727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\10C99B01-0000-0000-0000-100000000000-0.binMD5=FFE592AF3F2C00FE33FEEED7E329B540,SHA256=19BCDAF282E0B2FF371AF0A8ECF6B0F15B88DE54663831BA21E2D24B7B91EAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.079{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\0ED77DA6-0000-0000-0000-100000000000-0.binMD5=031D12379438525E4DB69197C2B1418E,SHA256=CF298A1CD74A138A61D04347424F399FFAD0CFE44E33AA4BFEADBA8FD66D43E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.048{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\0C308890-0000-0000-0000-100000000000-0.binMD5=17476C3420D4211975B9D8EB96BE2A1C,SHA256=78B3E2BB2258291BE6C828C634B98BEC0F6FAB3CFFF6EC2257FC2BA0369573F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\0B0FA0BA-0000-0000-0000-100000000000-0.binMD5=8B6DC308D2921DCB5A9E7ABCEB99F4BD,SHA256=3F8D02754ABC33C538F22A8758F95E35AC0EAA154C0B90A99D3636DC0F027050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000060966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\08A9A161-0000-0000-0000-100000000000-0.binMD5=B632E7A40E029E22ADBB5948A02073DE,SHA256=AE870B4EC58B491273D26A0DAF2EAD36F1388E8A1A068C256509F2053B0455BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035485Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:48.317{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82550A1D0572647FDBD191A37BA1BF09,SHA256=8AFE80B43E0A81296A0E864BBD02B333C7276BBFA80A86FE661BF2955696AAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{9E0D8204-5AC8-4A48-A844-20F04F9028EB}MD5=55745770E7E168D0E5EF45859BEB4A0F,SHA256=C1F2E6275F8240C6C09ADED08CFB6C6FA90D80EC892E2B4634E9C574522318A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.980{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{9D437035-4DEE-4BE7-A5E0-4BA7C7C89D98}MD5=EED538E3DCB1ECE61E286053DE696AB4,SHA256=3602B4DC9C523206C5150BEA830C52569DD3DC3B289EAB6F24BE4B71B19AD168,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.980{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{9CDDEA09-677E-4FD1-8F83-16170385ABBE}MD5=29DF9B72E136385B25627533865D5CD6,SHA256=18E2FD623C0A1DEF57E5C87B6B944A9106F7D89AA43194BDA30C7A2B00589588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.980{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{9AF12D16-D64C-45DD-86CF-5EC8C75EEBEE}MD5=31854E739801A34E56A2A6FC595502AB,SHA256=1BCE04A29F03CD75C7FD0B49A66217BE0C8E7917FC13B5F9DEC3A31A97D0FA38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.964{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{98370BF1-A27F-4BC3-BD6F-44E016776C3E}MD5=D266B5E78D87C7BF0D92C7B891BF058B,SHA256=4AE16150AE3C78BC882D7097941033D0364B53F1FA65244E1179E88B3394D46C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.964{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{95851F61-29E5-48D5-B498-8E2FCED8182C}MD5=0B0EB8B52A57D84662EBE4272A270BFB,SHA256=6A4738D732608A42C4FA88A93AAAEBCB4DE32BB4F4BC4A459AB4CAE49463FCFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.964{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{94D18D07-F669-40BE-B819-F045117DD9EC}MD5=44D2F0C0DBEAF4B95B526698A2C3DDE9,SHA256=A1FBBA1405A1D220C125D87BEAE6ECE994B64A85D0653819CED1825727AB6C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.964{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{93E4B6E1-0B34-4652-8D32-4D18EE97E2EC}MD5=56ED5A1A5F01E7C8FC2CDA71CC714B57,SHA256=56E8872E0A0B463A32439387683529933AF3D381BD45BB8CE300516002ABC862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.949{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{939A3E2B-3490-4950-93DC-6ACCC116DC4B}MD5=C098FC33D05702AFBECC4E0E2945C319,SHA256=075B17CBB8F1C5945357B6CD068631B071952939D505058D21CAA5524DB6B3A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.949{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{9077E6E9-6D89-4EE9-82E7-3F951E93A330}MD5=4BE3F30525730471C73E0C62346BEABA,SHA256=891E0B148B6EC0BAB718825590EBC33F63C032F9B409D8B66B5C2711BAC131D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.933{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{904A6D82-303F-4FBF-8908-5311ADC9535A}MD5=E54650A89B94D2AE7D2B66AFEEF90220,SHA256=0CCBC9AABEAF44A0A04F93822B0AA7708C133A4172BE0BE44F4083A8D4A04A73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.933{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{89CF6117-DED0-4E6B-A079-F0A7871A084E}MD5=F04D4B26FF82C75436E4DE162097188E,SHA256=CEAAB4DF24349120BF2386105E02A06C382B77BB76C141FC2EF24F3704837F1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.933{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{8970180E-3A45-4A16-A093-730C141B3D7E}MD5=AD3660129EB0E5FA5291EA8CADACB54F,SHA256=A918F1AA261BAB3AEFB7B04402308C07C7EDF4B2022F412F410F79F08A6752BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.917{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{89602519-1773-4279-97B4-FD0A682C8ED1}MD5=79627B51A85D22CDB61C822E846F0D1A,SHA256=FF11CB0CBED704D974819248A743ECA5319458128DD1E99585BF4799E2D3BAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.917{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{8956A25C-83AB-48E9-8B34-6BBDB950089F}MD5=D7FC6778C8D67C56BE8BF64132D972DB,SHA256=2778CAE3AB1E456516B73F20685FAB839493712A56727C4BC066D9B09E332D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.917{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{891A5510-1EA5-4098-8E83-C601BCAF4171}MD5=805FB392ECA13143589A8D40FF9FD4B9,SHA256=2A9C7BE018E5BAEF715D80705BDEA5B2DE2AAD292DD388B6BF4014DD2A32E372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.917{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{8915F940-D22C-4058-A549-9629DBABBF83}MD5=8EFDC0B98C963D727EA805EC8F563F1D,SHA256=189A24374550768638C9151FFC17800E33437ADCC87690F70145338A550615E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.914{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ABD4C207DA5906AC3CE4A4AC7DB0DEC,SHA256=9166725B4181E9CBF06D8513526624AB4BAEF98DB1FFF052D3AE70F9BAFAC283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.914{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{88E15164-57E9-4F39-813C-9E13705B0EC4}MD5=6F1CAA9E498846BE5C2E771F8D59C703,SHA256=10A696D30A896FAE9AF7B5602FB022F949AEAD2C38F30ABE758D66CFCE7EBC6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.911{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{87FB0FB8-4943-4395-A82C-86823903F441}MD5=FF2936A88B71A2ED92A821C97E3BCA07,SHA256=FC79A6AC286E9E9E42170531CDC218C0F8709A2DDEB08AC40920F54D7D0AF578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{87831482-0083-4F9B-B85E-8BD419DC0698}MD5=62011E59E916DF41A93E8EDDC501C2DB,SHA256=18327A4D327AF3B00B84D8FAD1602A1973E338B11934F2AC835857BFDCFFC7E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{862E99AD-6513-4036-91B2-97583B960891}MD5=1D30863606DD82C97D1D727162C77F43,SHA256=EC8077AC654698092C8B9AE26DA4728BFEF77412CC0DB6554764EC6A4C8144F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{846971AD-FE32-44FC-A380-F032094575FE}MD5=D4505AA1E7DA3385912442EE9EB69C86,SHA256=3A08BD25EB245254F54D61F7F38CBC95B013BDE95948B791931AF2EC1C8AC27D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{83EEDF5A-EB56-4948-BCCE-DDF1674C2740}MD5=AD8A1B3E6404F2A9000A254BC2FEFE74,SHA256=8BEB4B8E594ED322371F1B6D235E4C4D221F48BF4598B6196E7ED3E6F369A25B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{83EE4BAD-F55E-43C8-A4CE-926B50B024CE}MD5=0ED4C3C43532E5475BC61C2099D07854,SHA256=7905B9D3871D3DB057E8B2DCD83DD21DFBBF1BC6EF6888986CB4873BFEF25D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{839E30EA-CC4B-4248-A859-FCCB9F3E3EF0}MD5=DDE1FEC23A720A59466238DD87AB58D0,SHA256=98B7FB26B9EC848091ACE8D941A367114E92630D4DED2DC95DA70D32003956A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{82E051ED-4A4C-4942-8C03-00256AB2F603}MD5=BA1D31227755BFE6A07C0679F94596B7,SHA256=AFD3FF970F6D026A47F53BE69F0426E4D01ABF4F3484C265C63ED4AB0524BF5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{829D44DB-7EEA-4B3D-AF27-C37EA2B3BCB5}MD5=C917848F6C5A5D35C4D13EDF5010C315,SHA256=DE97E51767E23FBA7874661572EB4446BE78335F52802ED9EC7A15B7C53C6373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{8232BCE6-71D9-49D1-AC58-34E2F450E13E}MD5=BF91B1721B81EB6583AAC89CD642729C,SHA256=72CFE716D42693DDCF30CF17034A38414FA2625741322BD97EBF2EBF9B641A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{806718CD-0873-4DDD-A2BE-4980840AEE29}MD5=CCEE847F17A47A68577952A77BE400DA,SHA256=CB974D2EB5DCE0E17FC18DF6B11BCA7D83969AF4DB6DC152A0DAED4C18A6FF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7F720D6E-B5B9-44C5-9F32-34CDF5C2B5D6}MD5=D2F4BE026EE174625B0DFE539BB33B54,SHA256=211221BE2B039D687981089CD012BCCB1CC1C8BAE66C41AC5C881C671AB3D57A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7F3596E0-46EC-4DA5-8C8A-FF25335FF782}MD5=F64C524922FA139C7BCAAD4C37F33FA9,SHA256=ECF089D710A73FBD3F2EF0429B7988BBDDE6B3CD2F1A55C6BA13003088CDE3CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7DC1B5C7-EED9-44CA-947B-0828A197634E}MD5=A49B88B378877D07FFEF0D0E5A91E014,SHA256=AC141267BE74B23BC0CB070AA488E2B54E3703EECE4E5B10105A2104FA3319B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7DBC5501-3010-4B4E-9F02-A97B06FCB135}MD5=1A08227DAE57341B513BC499CB199ABB,SHA256=E8E4B428500B22B211AECD2154CCAE35DA96759C55DC71C3864214174DC68A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7D0BC201-4961-4596-A076-FAE07EA883F9}MD5=358A923FC11F4D1399353038BC0090D5,SHA256=32FCE53E0E14159E0BCCB84AD8EFFAF808EE36DDC1441C71E674AD8DBC5D66DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7C9DDDFF-DC6C-428E-B5D0-9F8ECC6927C9}MD5=689B593046874B60FFA60F125971CABD,SHA256=2923345E7F0D41A51BA66BCC65FAAED3725B291B17E5DAC7FC7B38992B1776A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7B1DED6F-0FA5-4590-8BDE-B33025966FC2}MD5=9FBE7BD6336E22E4CE028C388AB95564,SHA256=1F403DDB62B1A2E23BE9287134485E2C92B41C9A553AE8D8CFBDD35086AF9092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.848{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7AC92D30-B423-44D2-B87D-3FAC1B712273}MD5=2EE3D3AFA3B2E809D40F46F50E2D19AF,SHA256=FAA393F3C060561D258D591C489192A961CA3A18A75495F9E0D6238736193E8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.848{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7A8EDB31-5CD6-4F65-9550-DB173F56CBDB}MD5=9C60ACA6EB1822088300C98C4BF4F4D1,SHA256=74B66C4BB1CC45D3393D48ED46DDC056B3F037F5D63E994C7758C10E9E282776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.848{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7A7D3DCA-09B8-4D22-8B1B-CE5602B027C0}MD5=893E07252797E7C30ADBCF1BD40F2C21,SHA256=1D7F5E4D75EB5E9AAB5973EB3B811C0A981CA2286379F240FCAD2D69321C94B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.848{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{79946185-5B01-4706-8CA6-AD8B61B32C3A}MD5=6AEF6D76FF3FE0421117312222310582,SHA256=7823F0EF57CB91280F1DA1BA9BE50C098FFC6D9DF003227CFBC4126C903C30E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{78E2F072-9AD9-4470-8E87-24E0C9CA410A}MD5=1C5F8F901F920019444F59874C1A61AD,SHA256=9AD29C5E2667D19CB116BB25A803A343468814CB0678A6C5FC7F3FC6DE30EFF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{78CF1BEF-5DCE-431F-B2EF-390770683001}MD5=7B5BE0ED84F2DE4DEF03DB7E17CBE2B9,SHA256=EC04B39DFE57DFF87758EA1191001E729D1E2E77243B7EC214F50A84F12BE06E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{78A5ADA2-F487-4165-8EB9-A1D89C34C578}MD5=F78630F5452515C4FB1CEA8C05960958,SHA256=6BC3FDFB8E68DC3322DE5F4B499A1A0114074EFD2D8818EF2807DC7A2496DB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{773F6613-6575-44B9-ACB8-9131C61FBBE6}MD5=90480C174BF59A2905F60FEB79FAD129,SHA256=2265093452E7E7FB54B711DFA14337981D24AB9741042B4C13B5ACE5526AF91F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{76FC657E-0856-4FEF-9D70-000C3F1FFB09}MD5=DAD680E388BB1606C2686DFAF861CB50,SHA256=2F3D52393498F40EC33EAD7B5CAD0D1526BCAF88F83CFA47672E3DF80B6B007F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7680F03D-24D3-4747-AEC7-F1FF61E94C52}MD5=174BA3ECF3746650F1165F5B80E68D6D,SHA256=1C025418C5810192E91E2F76E8FAB9DAA9FD3261EA10CF8FF3894F3405A3C85A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.832{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7668962A-4F9E-4CC3-BA80-094D42F39403}MD5=911D5A874434A6F69DD49CA1B5FD6C3A,SHA256=0DE6B7F9A91F793EC8DB91921C256231AA4961F1860629D9E3B94F28EE37A6A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{74F5BFFF-6121-4B44-A549-E70A3D823007}MD5=AA9BE030E9DFEC9AF6EBA55D999AF64B,SHA256=9197C6CAB58D2A0F6C9D274E3993DE3D254629E34EA16821E5E54432C419F04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{7439CC4C-8848-4DFE-9208-14A825CB4C94}MD5=651DAB0F0E9C8BACDC75A77EA4FFA583,SHA256=4667D895D4D6ED9749950B767A44CB559A323726A811C7DF9A77DB0F07F763AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{73F2C0E4-27C0-40EB-9DB8-530AFF4194A9}MD5=7A500C0B90D7709EE9FE65A2FD4413A6,SHA256=5DDB0E2BA7A53DCE83309ECD208064E25F1336BBD78AF08D437B2CFEDDBC8D2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{73D75E53-6E6E-4B15-89BD-DDCBF7FA17D7}MD5=3CA9F6B8AF5819DBE02F071EE7FF5FCA,SHA256=5FBA753EBA7629C1D99823547569470FD8BE0F4DC024D88476A17D959C389B44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{73A5591F-580F-483F-B712-968A4C8BE3CD}MD5=3361F5A178129D13A5FC3F06E98D29AB,SHA256=713B60E1CB1B0C4DC8CC7C6731152F25F491F0610DBD64F6AAC2A83190835683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.816{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{72B7F0ED-CF6C-4051-B401-7EC060A3EBE0}MD5=E2E0EB4FFDAB5952BB36517C5F322D3C,SHA256=BA28269F70AE5BDCFAAA7BAAF7968C7EAE3E46C391791830B999E0D9E4DD675C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.815{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{728BEFAB-08B0-44A3-9A28-B833845A39AB}MD5=AF52BC1D710B202DC158EF4CFD407354,SHA256=1E171D4508663CEBF4C1D8BC6D1F847976A26C76F4EF141943514C8B29DDD078,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.813{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{72660ABF-484D-49BD-AFBB-6787A1904E27}MD5=4B527C0031029DF66224300147E9D52B,SHA256=5FE22A6C8C0C9F6B5C6B0CC09C312CBDE92DC773360CBAA7D3D3F4F79F17D850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.810{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{71F2FBED-F2E9-4B84-960A-F75C04BDA2DA}MD5=83483FA8F2A159BDFFACEBF8E05E9495,SHA256=0B2A6D7B4FD4691885A7A2AA2E01325DFC39CA57C51E2F94B36F5FD5E8924649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6FC52DDC-6079-4A59-907C-C69A9B634586}MD5=A2C94C2C3349382B41B17BA3090641ED,SHA256=EFDE3840ECD404AE190FFC68ED54ED3D122B3FFF6F499E0019AAEFBAEE4F0EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6FAD1D9A-D9CC-4EB5-80C5-CEFE5055DBAB}MD5=776B3D867A47343D08BB2C90B45E9872,SHA256=EF0CFDDB249894EB4181C723EBBD197DD7DFC842BC4176F3D01E324141247701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6EE0A671-8607-4826-AC3C-8127CADBFD5B}MD5=A73BE9A6B14DDD7F53FBE32D13FC8E4E,SHA256=88AF977E4434EFCD13115F9755AC374114C1E4C71ED67621C525AC257B64493D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6E863C1E-E206-4C53-83B3-8E028ECF4AA0}MD5=B1B375BF3BA6E3D5030E803B8E90AD90,SHA256=8238F577145721C1E6B7AB98E67BA1EAC2B2E9BACE99CBC1100DAA2515B0F0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.794{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6A432162-67BE-4BD6-980E-4B136F33623C}MD5=F2679CE6A7E41834563DF94C3C315D88,SHA256=F71780FB2D563752370434E122AFBB05C366952EE195ABEC4CBEBCFFF5246C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6980E310-B4CE-4C37-BFF0-7FEA2674905C}MD5=6A3ACD0306323418796284E609D01B88,SHA256=05B55143A384145E20B0CF3AAA3C245F5A4281D4EF1F0A6489CB689282AAC0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{68D5F14A-FB36-4A53-9C1B-2CE72C8FC25B}MD5=60FBFF1305156930F33996B6306BF62C,SHA256=F8CFE1DA281BA96D11DB80F3FDD23ADFDB8B9BAF5EE466F3D9CAEBFC1AEBDE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6894B5F0-2AF4-4E9E-82AB-573FF221AB8E}MD5=6ACE422AC6C82982F59F23541D8BA699,SHA256=FD3CC5B802F96DA3D108950ADE188361B6382D82CFD5194859884CD1BA92FE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{68653467-D30E-4262-99F4-DFC02934D0CA}MD5=E6F4820C63A3EEF281D5F8768B4B94CE,SHA256=51F09AF4EA9D6C6B6312F03148E317B8DD58CBBDA278255FC386E237A5E6D43C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6792EDB2-7F74-475F-AD5F-850035C7A115}MD5=BCA90525CA3CCB6E169D441ED1A822F4,SHA256=A47BC0E134F5F419C4BA9BB09BD3EF0A31B30F593A58ACF9333C275DDDA39D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{66118513-4F73-44DF-875F-BAF3408729B7}MD5=47914B8C12655DE9216E01B6A406D03F,SHA256=4BF71FBF08FACEDBDD64F7C3BF16E296A58C2A5F6AEB361AAE09FC91EDBC6A75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.778{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{65DF5279-6ED9-479C-AF92-031DD65A2D8D}MD5=1DFBE92FE56ED0D7C6888F2246E80916,SHA256=6AD7C9A0E2ADC3B3A5AB7800901613932CE6581D97F99323B011F000D15B0FA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{65BDF549-B103-4F6D-BC43-FF854D399009}MD5=37E3F7F9CF55F3E80DD9BF9FEB0C37CA,SHA256=57FFD944DBD536C3D728E846DF331EC562083B63F39913C9B40BBB1662A24EAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6282B6D4-7521-4C97-8AD6-FE04C3124990}MD5=8D9EF5EE69E4CC4ED82FD5AA3F72C82B,SHA256=41DB127DEDA9E45F1A16452A7FE575E5863B902595314A8D7F6DFEF98C367C90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6246654F-D63C-444A-B45A-DD0305941FCE}MD5=9F2D0607979B929D1726ACC26C44B52C,SHA256=FA1007C13E8D7FF7BB46AD979AE03F6483E18649F5B35D484BC5DB7E7F2B6353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{6084D5A6-B696-4755-B09A-BCA62C333823}MD5=9B9E44369D4FE0B9548F89FFB839814D,SHA256=9A3CE8CD3DB8268289EF07934F0ADB2A4746ECDDEAB78C3C8C4D352F2C54D318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5FE58F16-FA4E-4CE5-A66C-0A770DF46B13}MD5=E2F81D1CB5A7EB00EC4A2175E041A6F1,SHA256=A9086AE4D09594EE7CF5DEC2A24F2F25DD4438F02B500D801CD42795DEAC8A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5DF13B47-6BFF-41D1-BF19-CF13FD965FA4}MD5=D17F9B9BA7682DE9618195B3BF75DAFB,SHA256=B413BBDEB48743598F9DE696D429F9B6C16727CBADA0727364A9AFDD1B8F3B7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.763{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5B7191A6-1679-42A9-B7F4-6302427195CA}MD5=52DB499A78516BDE99807C75491379DD,SHA256=654C76672C5E8D149054BAFB7388ABD0EBD9C1B9472E53E7B4ADED827C1235DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5AFC6D4C-A1B8-4E26-A1DD-8C4FC6F7A27F}MD5=E00B0C83E6915A9B991811385DE651EA,SHA256=C43888A38EA1A4AD430F7EF2C54CE790F36EB191992F29075199F8EB3837EF2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5958A17D-E829-479D-B654-826C44A56A6E}MD5=87E2B2474093D16FD3F87519782897F7,SHA256=E1031DA1EDFCD8442037339C90EA75CD60B08F53C6C36119D0D1D2E482E2D28F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{59471E96-41F4-4AB0-A88F-866E27B166BB}MD5=29C57B1D787DD10908083378B797C8AA,SHA256=8957FADF2FF2184AEEF74244C536E8E108192D64C86F1CF6F6A1D24197DCE02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{580123EC-6B88-4A84-9765-05CCBB87E6B6}MD5=DCA20E3CFD4FC2E40747E5F101A77B76,SHA256=B7EFE4351824F3EA32701895538443B95F702435D3BA8363A618FD92F4AEE029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.747{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{578CCB3B-6508-46C6-9607-250DFC5F3230}MD5=337E35A87505ABA19A03D8936580A2A9,SHA256=9A7C7F4D75D4533AD69314557C30E52AE912F3FFF7634C8A131BA3F615A3E860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{577DAFBC-170E-48D0-9A02-B03F03B9F319}MD5=249560777AA86991DACA136F3A25F631,SHA256=AF43F54758090E41ABDB3BCE10E9590F6152EF3B524F2A56A372D5722223906A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{567982A3-DA0A-4910-992E-482AB112DB7F}MD5=C19A419AB27C459EC207713F7C10B390,SHA256=42668E7EE60321549EC42EE90E3B14D5CCC8FAE58765009823E767BCEE432AF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{56363A95-A258-4FDA-9A90-E6EAD1E551BF}MD5=F2D0CF098AD5A4A0FE3D5ACDBB26A2C2,SHA256=1C223E1AB4282E97273C6EF96FB437E3A8C861997E3CEC86A74C7A2780537321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{560E16A5-2654-48F7-9C62-5CC5542816FF}MD5=CF2660D258284D045FA0E775AA52584A,SHA256=2C6F7848965D38E417820E4C0739287D20986ECD2DF7B49908D8EE782EF148B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5530430E-80BF-411D-90AD-2C06046FCAEA}MD5=17913C743F4E09539C8F8D5640B9CB84,SHA256=0DA88E49AE12407FEECF224E044C6BAA1992D648C2508EBAE918A7C61D36E4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{54193EF4-BAD1-44B4-A0D9-7E339338D08A}MD5=F8A6B9E22ED416D325BB3BCBF343C2A7,SHA256=3678934543DEE293CF2007E6BA4BD07CE12E7E0988927DD0BA364791FCD3D5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{540ABF91-A467-418A-89E7-468452EA711B}MD5=438E90FBBC525E2BA4C222D4FF21954C,SHA256=E7F34440BA00927F6A38D840473647D7F6DF65E895F143D747EA543523D2875E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{53836217-8878-41D8-85DF-F4B7D6242749}MD5=880E6034B25C9430B51377143D208884,SHA256=821694AB3C9DDCFFBCDFA9C66552729D145A097EA4EC5CC3AF6B06FBD81E25EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{50C2DE09-3D3E-42E5-BC8F-8448A0B2946B}MD5=A7A8BCC0F90D842755F281E3D181D621,SHA256=3C65E92166D1CA3FC47CBFB05E63F984E57079FC9D82F579361E9D0FDE2BCD81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{50864DDB-E831-4184-8DFF-41153B5F16B0}MD5=68A2D79E943EDA632F9A621A5CF079E8,SHA256=92035FBFEA92802D7E5CE690733EED726276E7E2B611CDD83D74A4302E31FDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{5024BD84-0463-4B40-BFC5-9CFDCCCD794E}MD5=125EAECE6CA0DFA2E3EFAC35D40C2DAF,SHA256=312BD1B9ECF6B91D407F493F3AA08616A878F5477312AFDDF60E76B94032EF53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.716{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{4FF9C188-9EBB-4B7E-8CB4-347FCABF5753}MD5=FD63353218FA95E9D2CA07D635F562C1,SHA256=ACB0CC5008FAED1A7A4185E8AAA0EA6F88D691192535DEFF681C77C4577449BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{4FB29FA0-4B77-46AD-A9C0-84386CFCE06D}MD5=34E39460AC475A70F150F8882C4AB556,SHA256=F71FC54ACB9C3F811986245D93E821E8FD461284C34356543E289DB77BD98399,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{4A1D7468-8DAD-4E51-B5D5-9E83B6BCAC20}MD5=28989893677DFACA866974F9F86CFF55,SHA256=0C49F946BE793B8A4980685CAB217D02D23B269D76C5AC499395B8335400B160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{4859A28E-B2C4-4CE8-BAC1-386118D9E053}MD5=524503D009AABA07F0496E2E9B69AAD8,SHA256=675E69EF2F63030884BB3AB835D5F6C5338BE7691718552A73D6AFEF0C789845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{451DECE3-77DD-4B58-BF30-9DF42B7E3066}MD5=7DAFC07718FBDF192E533EF30145578B,SHA256=C96870639A0BEB3FE1CFA2C24745E99019B91EC9918882F067B3556775F9A3D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{451ACBBF-B0FF-47AD-AC91-07BEEFEC562E}MD5=8AC355728F73C573BC23B5D89EDD454D,SHA256=7B23DB20D987E35DD86A0749CF09B3E0DAA1BCA81DA4CDAD3CCFAF0F15743B7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{438CC584-CF34-418D-8C47-19A87C5FB8C2}MD5=EB64FC8E06EAFFD203FE45F94B06ED5C,SHA256=B299EEC9586B6450BD01134512798C786E064720FBB4E021AB2F7B562DDD436F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{40A6CAB2-E544-4530-A15E-FD5013708DBD}MD5=EB2BB7F48EF282A212D3CC6436DCBF84,SHA256=C77592085D2DCA696D573FE51CF97B11E34154DAC1A95BFBDCCC8FF8432482DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3F0A8955-46EC-4861-84B4-C31B897C73CA}MD5=469AABE969A05BB63E498433C254A91E,SHA256=A6AE9B42B8881049158CE55CBA249A18BA27EE43E57B4D38FF913BBF9F3DF8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3D33AE91-87A1-4F64-A38D-87002083286D}MD5=0CC17345E44EEA42BF1A44B3540FE35F,SHA256=36D0D58C5154F8EF482206031599BA4BDEC45CEA8E5E274304739DB157054455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3CA9BB51-BEAA-4713-A400-7B5C01B73DE6}MD5=74C43D6DA0E9BE80C09F306F49CA02C0,SHA256=F530616773269F30BFF8E6CD92274E5695AD617CF3C36179D3CA02216818DB3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3BFE2FC9-984F-4C6D-8379-136ED9ED6555}MD5=2A5BBC8A0ED63A2281A540826B8FCB1F,SHA256=B0AAA29D92F04D0746E0A18A9090FB819028534CDAD1DF3A6F8D7E3B0D41304D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{3914A9A9-CDCF-4CFA-AC23-D31B676375BA}MD5=C80D213AAD991E314BB646BB2BB7A880,SHA256=F2C5A40245BB3DDB33D88EB13D42987AEC21251442D38EF866A1AF58B12B719C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{38A06A18-5198-4320-8E30-586A2B548A3B}MD5=9B869AFBAA54E3A711BCA531476B0C66,SHA256=E60AFDD80F6A24F5FE4EBDDC93E85A73F1DBC8CA2772C7EE98CEBA02B8BF3624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{38935CD8-1983-4910-BBCE-BBEA4FD64ECE}MD5=9D22A847A96883AB97704E331783AD45,SHA256=3F39D29A6AD880BB5BA6738939D4326AC4C71D1B6ADCBB63122D1263ACF41165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{374A8BFB-E653-46AF-A146-25659E2BC976}MD5=C016CC5235B14F84EBD982CF282B5908,SHA256=278B65B1182C3A78685B7D9ADD53C98BD87274175189F8272ECC83BCA8BDE26F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{35E35ACE-CD69-4CFC-8195-B9BD19A9A959}MD5=8D46254238805B07C4E1799BED292435,SHA256=944E0E9AB2A5F25A03867C98C8FB9AD768F3340B026BD02A481B708FCA7410E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{34703349-3D18-4B7D-9250-BBD7CD489602}MD5=F5EEE7DF9FE4595ED8A54EC917C89355,SHA256=B9308DB1C71B4FAABA783EF5E25FE7BE2E8C0AF09429CAFB44A58B4F27714DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{34244A6A-AA36-4031-9677-503454D09D18}MD5=1A021B08AE072D79D5E00493B1D8E6AD,SHA256=A4AD3B117579815CF904381436220CDFF8B00455BA86382970D10CEB74D54409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.647{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{34029B81-9C37-4C23-A97F-40EEF62C18F5}MD5=4BB9F72D15C5EB44CAD733F1D88B0E5F,SHA256=BECCD710659820797907C537C2D281ECDF57C1740DF52728A2593100BF581778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{313B6F77-F5C6-4130-8B4C-0A311E0569C6}MD5=052874638C29355D20D110A4461ABE07,SHA256=CA2D4FB9A0953F92AC58E5317415287CA62E791A98CF781F29C4546DFD4018D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{313661CF-AF54-48F5-864E-B54F9FF802F6}MD5=98B12B565424514DBEDAE91CAFD6B5F6,SHA256=D81ADC75DCDFAE409AC65AC1CB02DF28525FFB517F9610AB7A7C04FCAD0A37B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2F026C94-5C3B-4538-B2A4-F77065933C16}MD5=BDC34AB490A20EE678214E686AF90D54,SHA256=3D5EB4A9766485C81C4F9B8DC5248D5BC91A9EF805BF3B26383C776FDDBC77F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.632{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2C580E84-5F02-48A3-9297-CBEBED4E611B}MD5=200CDF852FED6ABC724706E8F205C2BE,SHA256=CE8319B9C1B6DA7BF8E38ECDE5594C6079BB307246B6F7DDEFA241BC60BF603A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2B38FEAF-A2CF-4D38-8F58-E2D7E65C3B19}MD5=7E8D6B7E87B026B7E02D0CBDD33A460E,SHA256=965A9E4D16C66CB5F36108FD6D02347B791AF153AFCC08DEEF553DB63161BB8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2AEA38EF-A87B-4AAB-820D-611C4BD873F1}MD5=AD44284A5972DBFAE1E3A88F8FCF3ACC,SHA256=DFF75638C07B9A2F87161CB6FEA3BEA352B438390A8469AA94C2BB5690D6097A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2ADFE927-2DEB-44EC-91A5-88825C010CCC}MD5=2654AA1E175ABC19D448287B7701DCAE,SHA256=1062F124618D46366A65F22A35E160588D2D160871AD28F49C01150CD7B2D7F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2AD9B558-C6F3-4AC0-BB3B-416C7EFA3021}MD5=0641904856E45D90967302C5C0793E9F,SHA256=0395FF5DA6F047B14B1B596855A802D21EEC910E4BFA0C3659A290718DBC1879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.616{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2A9DC761-6CC9-43BE-97FA-A8A34AFDF634}MD5=6D995C3ED8663DBED6881A5D7FB26BDC,SHA256=C88F1836D172718726FCF6A75818F0F011F938B4E0FFFD3CACB830B71EB31501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.615{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2A0E503C-B839-4179-A169-CE9D2D80A82E}MD5=9DE716B8D384BEE314DC7CFE5706A390,SHA256=328206CB776571062A29E7A0F6D0393C22653E97852498547A252214A7B0E37E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.611{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{29692971-8600-4D53-B13A-2A96F909F557}MD5=6580B99CF520B4E632BE6FB32E126CC9,SHA256=025672341423C00B005410C414D92C42BEB5CD7A170C15A2B97B8913BA7DC6B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{28C590D4-C046-449C-8A1F-992109D7F030}MD5=353FCCDC5C0FB395400D735D37EE27C0,SHA256=8FA0EA99AFDCBBEBA8FD3EBC59ED422EE269F88AD4C61C9D48DE9A298247A07F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2895E58D-3666-454D-BEB7-3092D29328DB}MD5=CC7E97296A95F034A437932BAA4ADB3C,SHA256=29596C924E42EC202C32326C0990E63A8A7CA7CF7FA858D3577F5FC95D265C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{26AA1545-05BD-4150-8180-B0E44F8D7132}MD5=15DE958928038515F40B6B3C32D1BA3F,SHA256=55D507D2C9F236CA6CC1D5B401FE84A536ACA80486A3047125BF61701782CD45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{260D8936-E3A8-4790-92E0-16AF6565B619}MD5=49593166588EB27E5A32BE1BF521DE6D,SHA256=4DBC52782E7770FEFF54DF9A5BCF0EC9C5E5D9FEBDC3E0785CF23A1A85AC7CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.594{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{228CF143-0857-4E46-871D-561AE471E220}MD5=A34BDCD70662A5F35FFFAD37C1B75383,SHA256=8E42AA4A73A1D359341A589C7B67FD06DD8E203F4D847942CF8A8F33A7B80246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{22235E1F-C965-47E9-B552-166FAF32B59F}MD5=E98FC3239F4F18FFB7FFB6A3284B0F0C,SHA256=C8977AEECD9F966F7B0354871CD05422EB7B57F9B91CAB419E3E29E25F96D58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2218CB4B-E6E9-4B27-8FF4-A5E2331DA655}MD5=A65C338A11DBDB6DFBECE46D2EF9432D,SHA256=7929A62792E122A54A03F4EFAE66C69D044BAEA7B5DB3B894A6EE37E7BE19A3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{218AF51F-0CBC-4CC6-A4CC-1E4D32BDD769}MD5=E227C8C8C079B93E7854873CD0E123AA,SHA256=B0318FB5DF72ABEB549B9EDB476938A3A134BE229CA56C947C4EBCA4345DC4D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{21725B6C-EE94-4609-966B-9D3AA1B558D7}MD5=26004A86C33DA68305223C2F69839619,SHA256=F298B25893EFB845DAE5B1ECA925F9CB449B02E74C9274933E1ABF7ECB3A652B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{2087970D-2AED-4ABC-A418-77BE094FF3FB}MD5=B38F23F0F2D8F70D585E9BE1EA4B5132,SHA256=BBF207840AE5F10E9F39195FD72C4ACC6BFDF6B109BE04195D2B4119A0C6203E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1F890268-C458-466C-9F37-84B5F11932E3}MD5=079429658C9F48C4898F0E8AFED8C1E8,SHA256=016E2BFCD255BBCA0F26F87D362FB899EDE03886F8E309F61DDE659F4CAAE841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1D2BB581-7495-4B70-93E0-7E73FC5B73AC}MD5=039C1FFC891A427BF7F56340F31399DE,SHA256=6A541A36F18955882CB2A8C5BC1153D45D37CA08C50D17DC65E587E5A91BD48E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1CECB46F-FE81-48FD-A1B7-9AD0BF1C57EB}MD5=412F6A902A84DC778FF65F314944E6EB,SHA256=D1EB7F108BAFF69C06934AD6DFBA373BDC71C134135BB8B756D557EFF0160516,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1ADEBFA4-A62E-4B5A-BD36-90CB772A5975}MD5=027C22B80D79171D6C150B47426697E3,SHA256=B1DC2EF034B7026B5613418C660EFF9DA2466A14EEB48CDC493DFAF136D7B6AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1A68D71C-3577-48AA-9690-C13A989F4AA3}MD5=15738A9EAC3062020CD17824A94D2A0F,SHA256=E49E493C4D7C5B8A0FAB53B9478B08C87924EBD9195FB1D34CE1B17549E29757,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1A322D47-F746-432D-806C-0F23D681FB8F}MD5=3F667727536E31E3054530276B48CDAE,SHA256=566B9663A6B1E8D877CB45530EE0ABD3283638357A2EFE95A54B6B2A6EC526D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.563{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{19BF8991-7DD9-4025-ADDA-0DCCE13AF31B}MD5=E9DB69B599132FB7DE6CBF5A2534A9BA,SHA256=7A60570536206C4E444DEF66310B69CE6FA91CD9CEA040C4E15A5CF8CB9595F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.547{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{175F8CCA-3A88-4E30-8628-2773B8F44564}MD5=910176F667CD91AB51E664A65259B729,SHA256=F7239ED17B267462ED8C3E06B6A0594EADB0142FCC75729F9A38EF577DB1C22D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.547{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{15FA1FD9-473B-4DA3-9C47-854130855CA7}MD5=2B6402A08451BACA1A92ABF9AA88F156,SHA256=C9CD622520526DC5B5E7D7360F893D63420E9F7EC0046AD1FF316E125767074F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.547{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{15247265-70ED-4D45-B82C-64911418E5D5}MD5=381EDBEB0D5C015BA1A4C9D97888F966,SHA256=19E625B7F8B94D49BE28DCBC1CFE0B631248B57A600B2DCAEEEC3EEDD1F70BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.547{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1387510B-F675-44BB-86B7-1377705CBDBF}MD5=C1797C3A294A476E4120676EDCC4919A,SHA256=F1AF7B2451775353F61494D559B4DFF2C227510490393CE65928F9E4EEC1B896,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{13539613-8898-46C6-B167-7CEB71AC9813}MD5=0949A6BBFC6215166CABA493ADA534CD,SHA256=76DE7BE8DBEB5AD8C4A33B8A68DE1CFC5CF45126DF70ECF8CA278EF755DA8192,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{12C9C6E9-8AD9-4771-8ED1-BCE98C7DF2F8}MD5=5B9D8A73C12E0D67B0FA213C11B142AF,SHA256=23AD09A8F580FD78F504178B472C382BDFA5B14250016D923E31A10C85773EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{1249F384-AB21-44D8-BF50-3471227823FD}MD5=D694221C4D8CB35567142741CE4B18EC,SHA256=DAB12BC8875C7331354F023519EF80C61B721E85C8575796C408623D96B8474C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{100E11DE-FE93-45D2-9CDB-7A528C50AB6C}MD5=136F7D67F15414A1C8507B084EA7658D,SHA256=0D73074FCC52A7AD24041BEC63BEB5E3ED876177C8E4D1300CF6CB5917DF61EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0FC3A28D-9385-4C37-8423-54317E53624C}MD5=FDFE5984D2F8978A2ED32787EC9341FC,SHA256=23ED661137A5884336CF2E63CA26FBD99B9E9CB2966F4E2902507718D6B253E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.532{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0E06D4AE-278B-49D8-BB1F-402AD458EA8B}MD5=B13CEAE73DCA882F4836B608C3400A57,SHA256=085F4B482319F15D98F2788E12AA98900D73E5C0933AC3EA52E08AEC5D969C2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0D6F72C1-D255-4553-B9FA-065ECF3AB735}MD5=EC05580C84799449A7609F3DF4D139A3,SHA256=D55901501835C4CE154097E9554EC0BA2F1ED563D94751C6424D79ADD4D4B809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0C33894B-62E6-4E2D-94E2-F5A47DE995B4}MD5=440CB75ED44D79EA0EDD519EE0091623,SHA256=9F965AFEB2152D70D5A494726F1912C217FDD38A455DA31A10060B5E999F76C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0B35FA11-445E-4639-9FE8-20793C4E9FF7}MD5=5F723D24E50F5594E100E8986F7DCE93,SHA256=0540605CAA71D9F903914007E2F76E3C0BF09A5B8BC6BE52AD31BCDA0F063D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{09A4D4BB-AD5A-43BD-92CB-F0EEBAA82E5C}MD5=7123919CCD054370903A96F3E6762476,SHA256=A33BC36A7789E6CFD7AFE729FF15262E581619A4EC35B67E77F7B4F3D1D5DDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{08D6BBE7-5BED-4397-8E06-7958DAD1648D}MD5=B0D0DFAF6A76DB6C67F21B1312B4DB77,SHA256=EE3CCFA097428F94DD96BB20A582B43A1562602EC41E4A7CFBA09859E9511E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{067C6098-B494-4B74-97D0-91ED1C497D75}MD5=91D90D00445C7D9E0C2433141A389759,SHA256=776CD64C8E5D911DD9EA80C4F0160245A876E78E27CA185CD9D684B22E441838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{05F33FD5-916A-4F78-BE2E-A8F7D43A3C68}MD5=9777DE1F83F2B86B8DE1B9E8A6D089F7,SHA256=CC1114D8506445C8E5024D7CD7F2BF5079AB5FAFF94E47E41B15919B8001D0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.516{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{05A6204B-509F-4083-8FF9-B31DF5129E91}MD5=DC1EB6E2CBE58C2EEE1DAD0F20A6A3CC,SHA256=2D17A1853235DA69F5C9CD3F241434E28B7C002EAE75EF6E5435FF43D96CEE51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.514{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{05268049-CB28-4494-AAFF-00850F253B5B}MD5=5AF8A6F121CD68ADDC1E1E3481A16450,SHA256=337C9074CF35F8375A993D652A70D3A87D9E663B069FCD02EFDAC15AE875DEF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{046EE937-69B5-443A-83DC-27645D79E539}MD5=2029B9D42F7820DB116ED137BD305676,SHA256=1B48D2FC8982B65ABDF5130E7FDC0B0AE602DC6ABECD43D3A000FC0C7AD92699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.511{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{042C24EC-3A4C-467F-A69D-1F51B82E2C15}MD5=FAAFDE188282B63B51491F0013A28B2B,SHA256=0E5E7CC6F36626AD315E23274682E1B27B3485F96DB7704BE33FB0DDBC52C0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0393FCD2-7021-4044-8DCA-1D9D4A180E83}MD5=61F66ADBF66843336B7A4887B685A0A4,SHA256=6B39BF17B39C7308D3A618AA495F062266B8028C627EA2A4060359267473CD0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{02A10CA0-A3C4-41A9-B163-4430E0A6E8EA}MD5=D28A5D2A781B353BB41124848FA06BDB,SHA256=FE7720957506F7B40433C01E87990F5C1417F1C4F383B495E309F86F85C46260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{00E71259-1491-444D-A09B-60B390ED15DB}MD5=F7E4F28C3085F8545253D8927F247E35,SHA256=845D0759D10A022E6D315EE2F1149585428E50EC1009974A6892295274326D10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{0076D2D3-82AE-4E1F-8E80-3F5AD028F623}MD5=6A6E4E7D7FD2B299068102E98F59EB2D,SHA256=D6FE240AC74A58D04A95A7687837D1229E7133C653DD80E31091507CCE420340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\{6F51F5EC-BCD0-4BDE-B8EB-3246293FB28A}MD5=D012E3481893371D33B4033913819F0F,SHA256=2D1D4EEC35A1C2C291381864D60B608E1906CA64EDC12E09B6C65211E0D0B440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\{3921BEC2-6984-476A-AF26-1392A85F75D9}MD5=5EE582E54A0A4057FAC10366A4C2F0B5,SHA256=B42FF6E77CB3A3793437F21CF3791FD020B0E70E1F76B23DD28572017546549D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\{1FC74DDD-5B06-4988-8001-06A18E55FBEB}MD5=09A5C580FECE5D6FEDF549BC68DF837A,SHA256=D4076B63DE80AA2584A3F9934FE67B0FA5F5EBCB9ED2DE3AB38707A5C372DBDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Quick\{00DAF446-FFBB-41E6-B3DD-E8D5E3501FD3}MD5=2FA2A190B575699D4D1517E81961587D,SHA256=254B5F8DF675363C74D4AE0F4BA1BA60C845321001D4BCE80F1B3C729CF326C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.479{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\ReportLatency\Latency\19\0MD5=A044C9B3150C50BA49C322A2F585B391,SHA256=241C9AFE360F2D755E1E0CA226CBCA112963D0BB971F52997C65452370CC5916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\302MD5=90F573623909E39E48BD63FC72CAF669,SHA256=AEC35ABC5E7EFC2F6EB3343F50DFD40F35CE5AF98BF76A81D998F035961AAF59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109006MD5=BC10672245CA9A2F297E6FAB16FC62B2,SHA256=D2B8F5062C8431FD5DBE1753F3103988EDE5497CB7C0CDE6FE60AC247C0EFBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\109003MD5=118873FADB3A029F44F52298201D1F8C,SHA256=A8EED11DD73F3C1363CD18875CDE2F2F8D9BF0F4CD65F8FC057C05E33941E6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\22\100018MD5=61CE26554E9320B4A651D7CDF7740888,SHA256=A033508F1EC35E3DF0860E4199984B6AF832CD8028AD086FB3FF638732388C62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\344MD5=07B79F845A85BECC430568BD90A162DB,SHA256=3B962290993FE9647F1E0F9B8F88D71ADE23AC63170548FAFE289876D7EB275A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\100017MD5=672AB2F8A70BE01454A94BAF672AAA00,SHA256=470CA8D591CF59B7C8322A34107DAE9F6CFA55E2356542954149E078BB0EFE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\21\100002MD5=ED2A469E5735352F75B3A541E74C32DB,SHA256=75B66F69DBD55DE68D2EBC90E021907A816116126557F5963DB101E6DA733F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\20\346MD5=F5E527AA2DE972296D29C71997925F2A,SHA256=84A1C46CA8E9A7218E7818D2D82BD4988C465580416F13CEF0813442CC4C3DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\328MD5=1D38BEC53FA65F59BABAA71B28ADBA1A,SHA256=91D5480931744D4492F591547E28C6827B59B70D08532880933A6A0164A17019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\19\15038MD5=F669E0ACE06BC66A998B1D0DB7A329BA,SHA256=216A5C4D5D5DE0CEE76F2EC7329BF8E4F4D11362C15406175AAD4B61C0B9B25F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.463{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\12284MD5=B4C82B94E721FF8CFCDCDCA7C8CACA25,SHA256=EECED287EC165D01280790CF16C657412C6758D323E1FD799199F209DD3B26BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\109002MD5=32E8597C4F5E548E2B6A4A63F93E7051,SHA256=9878E68329E6CB5662D964EDD4ADCD6BDFA8DBF0D1079FBF6E4E9032254C77DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107002MD5=D5848F2D0AAFC7E321D617686F80978F,SHA256=F42E30B8A4CDE9468E0653F3D9FFD289B2F962B5381EBFFA420932377ECB182A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\18\107001MD5=D41F8E7B0B984E4B40193B9BD3D8E2CA,SHA256=982D4F437B9B9A4C831973A76C443572F51F84FF7DED6F40FE5CA4705E1F0C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\345MD5=E2E73B82DEC60F1781376D30135018AF,SHA256=3AE1B79500D69F7CF5304F98063A2538ED0A7E0A06E592F913D53BD00CED5BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\300MD5=51AF86ED72E1ED7CD1C070892FA43DCC,SHA256=81C416C0F0D4C66EF29D76CC93A7FE3556721530E610F1CC41D837B7B1DE9772,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\17\109001MD5=10803D5BE5C23DA7F643E97851156F34,SHA256=91F47FDCDE35212F9F223AF25A8054D1384A3514D2096E798CD920EF4E87295E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\16\15045MD5=4A0DE36E40FB87A6C0FB87A9395AD51F,SHA256=0725BCC3A7AEA82B8EFBC7443EE96BD484C3297F1B38241D82FFD7F9AA048F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\16\15037MD5=44C676194CBB78FDE340ED6559A5570B,SHA256=25829D3F6FF56CF1E7838755FD195019E2B5F9EF52868646D4E3D24981BA4CAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.447{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\16\12285MD5=293F2A6D6C3A660BC49CAFA53B8D5275,SHA256=A6ABA3142539630F26232A6305670351F887B9EE3AEB7A4D5DBCB168012D686B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\321MD5=39E6A7151A573919D7681604B1BADAAA,SHA256=2D9770E8B229ADD006D35AF894D4FE8B638E97B306A829BD1E4C9CE0521B8768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\292MD5=BCDB03073F16F99C69BBC0B66A262BC1,SHA256=274E7ACFE6FB43573C208F9C9103FBE3DEA60FD0305B8BEA0D1BE02F6435D850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\15\288MD5=F254D377F48D053B2D081FCF0FD501F8,SHA256=3438FDE9090E9432BE3E663C0D653ABF84E6EFCA2CC7DBDDC5D00B805B8EF0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\9664MD5=2C7BCF428969FD3B9C701BFC9FE82105,SHA256=2BAAA1510A78BDB430DF7AAECEF2469443E778A67FBAF7EB77806D9822ED0F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\14\15039MD5=AC0BE5C3D31DD452CBAEC78C7BB642A9,SHA256=6780A3DB79E390692ADA6D4E213F3F3782E450358D1BEE5FD1B3B2D2008467CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\12\12282MD5=F86FD3CC40CC7735BAC118EF3B8C6A6F,SHA256=15FBE292A250870D430824B91C2D5DC6A96B6CC3D73998D6B3DACCBE4F8D069C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\291MD5=53551488BB63737AEFED80D0C32B2E8D,SHA256=9056C8EAF3FEF4DD384683D70C143F1EEA31701C5E6FF8EF25C8300601939A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\200MD5=3717CE1E5090B2FF0CFE0D57E75CD470,SHA256=0579B24D3F454266EC583DA6A182A3D3B91E88CB1AD6DDC78FA6B845891ACECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\15040MD5=0746F0DB45C45A93EC7AB35FEDFB263D,SHA256=394343E2562C701DC4A31FD4A5C4033FFF9EFB59C432C1AAA24BDB418672CE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\1252MD5=770D8A5EA5F3ED6C3875C86CA4DB2D2C,SHA256=737E43D2AEB469EB0D12EA12662F7CE2A09A004E6B3C73F40F7DB2724212E564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\11\108033MD5=3FF638E2C8D00939385D6F655A0F32B8,SHA256=86F5DF81840855D5516BAEC79CEAEFD0B20F13EF0B71EFD1436FC5BE59AD7D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\340MD5=7785DB01F5ABDB557CBDCDB700994965,SHA256=11D8E5067866B488616EE4FF45BEDCBD1D21AD5AE9377CC5BA5EE28A1EA9CF04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\10\197MD5=BDF15DB819924925B3B87DB549AF0F09,SHA256=169C208C56C0CC9DB0DDA51CFCA71D3C1EB687B481B909DCF6C60B4EB940A6F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\09\238MD5=0FF37E516CAE0DDBE09B4CAF45CD48D7,SHA256=E4C5064E8ACF5CC2C2784F62B1D8FE4EB7CA2DB7B723E9A528277188B38C2D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\08\322MD5=1EFCF75FEFD2AB47F27C9BED56EC2E42,SHA256=F3F6B602E568F3456EE125DF5092599C5B85E5EB0D7C4A59EF924B2E73DB7554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\08\15004MD5=37232B00AF50013FBACC090B86031B4D,SHA256=F209BBB78933E5AAD76469A8D9450F4C3E72A4B0AE26F1E3A9AD1177ED3A51C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\290MD5=64E981EC317D55DE43B17921C9829F0E,SHA256=CE674CC40253F648EA11DE62F4976FFF83B94F0ABD72C16642D15FB1310C2E96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.416{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\07\15010MD5=5682ED85D2797ED434C56E9B83DD121F,SHA256=80477EF5CD527E09F888A05BB7CF989737F13A222628DC9FCDEE9F0E8328F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.415{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\341MD5=D74E07991A7C763EBBBCBBCECD5CCDC2,SHA256=B59F95BB39AF71BD1820EFFA41671B3925ADB8968DFABDE7ADA79FC69CBC1041,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.415{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\334MD5=91E44A17A0CFC5136A26C6CA8F264C6B,SHA256=F2801081C1CD07C2EA074216323BBD2681145C1E23259BE518F7F1973CC03790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\317MD5=3480B84B3A51825C6AB4539D03F3C140,SHA256=4F40C8091DB9A146902EB8E6EB2AC3C562AE0A8C7508992BEFA12E8D53477A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.413{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\199MD5=88784E5465584EC0A02E4B4E4ED810E6,SHA256=7193A9901A2A33D9B8E77C9EF9CBCC4E90213A12DF863D682CF8FD62EB5DA377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.412{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\100013MD5=57E8E054E1C769660E53B799C22EB386,SHA256=4AAE77861A3F9AFDDA49486BDA06D789700B256F065C5AAA4061ADFEE7B92641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.411{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\12283MD5=8D7EEB459DBA21173CA2AA58294190D0,SHA256=BCB8E49FA693401FB5661DB0DD61BBDD37D62147C901E0EF52FD5F1CCFF8B0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.410{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\04\109005MD5=348BF11C5F128010B95672BF25F273BC,SHA256=0C5213798D66091F08951B1E177FCC8487DF06384691CE052F05703DF983BA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\13687MD5=2B120176A2E0ED2C4FA2AED0EE6A736C,SHA256=BACA86585B54B23AC17C016ECF2E6FA577AFE6A2D65112EBC0A4E1ABBB783F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\02\109004MD5=FB9D99945A27FF0655D2A30BCFE4BBB7,SHA256=03681FD797E20593A9236C6553AF57866E33D00FD9D671A0CDC3F9CD816DA600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\289MD5=348D7AFF7D21C141C507DF0D0B17F950,SHA256=58EE8A3E0FB5A338F1C063E15EC6BDDDF7A61CE939C8F4B2D9C540C3A0A17AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\198MD5=6769810EA4D8E982F6012C78C8873DAD,SHA256=AA5DF73065752CA642154E120CA89B8EF41C8356DBCE32EFFA08C71A215311C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\FFD2CF5B-0000-0000-0000-100000000000-0.binMD5=8BF911C6F9624434F7B10FD278BC76D3,SHA256=DF68EBBEC7591F31152AAC6534536A8C4A467BFBDAC619F9329E2E381F72A8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.379{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\FB5879AF-0000-0000-0000-100000000000-0.binMD5=FFA707221797469CDC9D3052C6C5F6EE,SHA256=7F0DF77B3E797AEC98D97524C7195532AC097D60791B8B50C3B38AB92AD64281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.379{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\F687CA44-0000-0000-0000-100000000000-0.binMD5=939B68C4B69FB04DA80943DF9DFBF3D6,SHA256=EA24F21DF45F839FF64EA6FA62FC4FBCEB34BD44F554F38F4E0433EAD71F0D3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.363{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.363{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\E4449258-0000-0000-0000-100000000000-0.binMD5=BE1E3E44A2C3408789AB0D961992A454,SHA256=FA52A17E648F416B821C6C3904A1FD26CB2C2978AF39695BD40D9B1ED90C4E75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.347{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=5174FE24C05F911479EE891B73936754,SHA256=C691EFF3A5818A8C0A9533FCB6CF7F740429ACCBC4D7E812DC2A471675D326B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.332{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\E353614F-0000-0000-0000-100000000000-0.binMD5=3B277116853189FAB48A42F97B995573,SHA256=6C371C06068953630603A20013CA1F13B5FAC8C76CCA48F4DE76D89D9B37B6E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.247{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\DFD6B7A8-0000-0000-0000-100000000000-0.binMD5=122920411F5741E544CD8D2F5DD85ACE,SHA256=C5C0BAD7F32226135C547FA39689D9E747CAF8075FE76BFCCB72D80657A221D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.232{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\DD52F587-0000-0000-0000-100000000000-0.binMD5=45FE56E50C4873491C4FE85C8CBCA4AC,SHA256=BC1F50DDE26F72239F1EBFFECF96C26E05AC1C59D04F385E9E05FE76739F6174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.194{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\DB19BC7D-0000-0000-0000-100000000000-0.binMD5=89D9E269125685BAE4F3D8C8427AA87E,SHA256=A631053F69DA0B2AB3E548B0D16209B63684DCF283329028D3868C4BECA32B8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.179{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\D83DD2BA-0000-0000-0000-100000000000-0.binMD5=C8B2C8A4B1452184993180E1CFDF316B,SHA256=804B4603736006977B64DCD5D59162AF8507970327E6B4B2A8FBC267C2857989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\D370F6FF-0000-0000-0000-100000000000-0.binMD5=326011A3813C232168EF55D131EC204E,SHA256=A1F0641A1F6F1FE9632265E767797D9B98487F8A2BD56E343DC21A04BD02E956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.116{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\D2186144-0000-0000-0000-100000000000-0.binMD5=B34173C82B8BD085831EB155455E0817,SHA256=CE7D63B8B352E17E760F6DA8CC3BB7D920B1EEB6188F071E4F7C19743BF4113F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\CFE4E044-0000-0000-0000-100000000000-0.binMD5=C1899EA88C22C0738CE1D17301C01C94,SHA256=71686ACDDD47258193E9FB3996B0A33C8D31C44FD32DBFB6BCDA528EEB79E770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\CDABB3EB-0000-0000-0000-100000000000-0.binMD5=08F1149E46EBD2BFBE30470B427A1064,SHA256=D86AD6A864F68237201C1D1EA6CA3BAF094A3254DCEDD1921AB5EF616163EDC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\C9F7492F-0000-0000-0000-100000000000-0.binMD5=B65F770789BB846D4625AA130677C359,SHA256=4B2527C628540E3B4B7A447072D1F1DED1DA85F9A4C86D3C3F5E7877FC3AB2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.048{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\C6238F91-0000-0000-0000-100000000000-0.binMD5=B070A639E7355A727D848C9B25E2D5FE,SHA256=0B48D62980CBDF9D84D46B4878514B7EA1595608C33F2B36C5D9839FD6C307AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.048{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\C2A2DABB-0000-0000-0000-100000000000-0.binMD5=0B4131ABB71B4B0639123E1A88463E97,SHA256=9BE11D6E618E36288ADE917659418D16767350D2F2CBFD6A4B9B3986ABAB2F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\C10D87A2-0000-0000-0000-100000000000-0.binMD5=C4B1FBB7DE1C26CBE9DB1F96A796FCEA,SHA256=5023E5D157A51C17539074265A3A3FF94F4939BC88626F1B6ADA9561888ECB93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.032{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\BF69D1DC-0000-0000-0000-100000000000-0.binMD5=3E456613F42B315C6C3E42F17C2DF054,SHA256=0AEED680F8F78E362B9478968182F9773F16D523C46F8FF67AA3E4E97680246C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:47.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\CacheManager\BD98497A-0000-0000-0000-100000000000-0.binMD5=E34F3CFD9FF3B8EA45A52F5D1790ACFA,SHA256=BB91F96A69307C1402C8B0403203F34B793AECA6FEB5F35C305FB6BB04499657,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035484Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:45.277{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50987-false10.0.1.12-8000- 23542300x800000000000000035486Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:49.363{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=325F65EA81950BF31232B92BC36D394F,SHA256=E2124CF5E2E0F7B3F0516142F0C89132495D0B44096647B2A5428966373CFC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.618{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\F6AB7B4AC448F784CCD44AB7B7E913C4MD5=B6E788E3ADA2EFAD0296459E8B9FDEF5,SHA256=D7E35A016555CFB1795713C10DEC0FC04233A79A7CEAFDBCAAEA5BDC40F5C8CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.618{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\F19631E67F1730E189E563FC248195F1MD5=48A781E522E2A8189B223DE46F2C1EC7,SHA256=3E474E719A6135F9CA3B4C3A4E33985C0D253B545416512FCBB29E15091610A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.618{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\F0A8E570F9D5CE85C81F4DA04A642496MD5=F569C8FED334DAD51CC01088F27C27B0,SHA256=2C03DFFF3A9D63ADCC63864279BB57E3A7971AA3CC775C6F47EFEB6099EE8A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.580{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\F07E0CAFAE8E82EC1048EB9D1F9974FBMD5=010B29DAA0A1A049F1F2EF1C6C504C45,SHA256=C84905B16D61D83661B770C99E7A8308E6A0AF7A7D6022C5B129D11266A43828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.580{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\ECE359549FCAA0243A96A8B3B48F1BDFMD5=49DE3A17263F870E0942A1045DBD1C04,SHA256=AF303E609E781F19576DB93A83410050108BA6C5705D852174E3071AE4841BF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.580{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\E721F0F1A9D3205B4826FC7294238A94MD5=5C086F3BA9EAEE4C6B7E010001D93724,SHA256=177CDDC27DEB1C486DC1246AA571759639BF16697E2DE76685BD57B87EE7CB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.568{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\E3A04E34AF58CA116EE421C5EC9FECA5MD5=C95E6606BBB7E01E1B6A13837BF198A6,SHA256=AE017921E0CB470E32A557FD261862E07B02BAD75624282A2648136C6B36E15A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.568{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\E2014C21E689A89E913B1EE9D780AB44MD5=E792AAC096FDAC2F9284DC31738CB7ED,SHA256=AE118CA58D6CBEBEAB9E927F1E16C7ECF537748F6692E13E1DBA76C6C828156F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.568{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\E1B03B7122D748609F76DCEB55631580MD5=19600BA2AC2744BF00E909A432F37CEC,SHA256=5F65AC9EEDB3736D5FCA2FD92B9AC8B5DC02073836E38D6BD26383C51893E414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\D24AC0732490F00EE1897F40CB701E09MD5=281B1CD94F5BD663BBAAF066FB3A7EC4,SHA256=E36D62AF2B0BA70EAFBD118C8C57440C0131634F608F163EBBA1EF6D8AAB486D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\CD83F294BED6B299F23EACD6DE50BD78MD5=C95DCFE91DE4D1AF6302E3A3CDFD9C61,SHA256=298870C6F56B4CAE16850A3C862E08457440986A971899B8E515DCF23BAE5270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\CCE92E68EE219C35A11100005A0165B2MD5=5B1B797413445182655A95480079A21A,SHA256=F96B88055DC8FEBE58797729E85B29DA4A87D1FC8B330FCF57ED4DDD0C2F2559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\CC0C00FA0792334A1F2A0902599A1D38MD5=CEDFA311CB7C83A3F7E551D936E751E2,SHA256=60F4EB5806E4F337E535B28488E7A5A273BFDB96EEF6B40E1054579BB157E498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\C57DF63C92FE024BE4FFF00C74859191MD5=7E770496D66C9B90A9D87E02F21538AE,SHA256=FD72E2C665E78BE7B7B5CE83260EE6E4C841C5023D465CB75B7018C15755AAA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.549{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\C4057EDDCAB0A4132321B80D64228E15MD5=1C96F96700DFBC1CFAF299FDB887B13F,SHA256=3846646994F9CB15FC127DFF7750A0A6016785DE51DF36175559F2ACA0E3563A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.533{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\BB159B8B3C3DDE48344C42248E8E9EAFMD5=403EBE44F82DC9E535FFC467017570F8,SHA256=9CF683B4CD9AB2B4475CEB02E16EDFB320D2B4160BC699A02A1E0EC5B4FA91B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.533{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\B2D92FD606207FE0387D5C785A8513E3MD5=2A183DA5F3EA92646FC04269FC4DF325,SHA256=53AE4C1DBD4C2C112680A9D9B495EDDFABA8F6A34E6EB78F5FEB4F142C0DD311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\AFDF247EA587FE009AD29B61244AF13DMD5=9A7395C617C2934D43ED0688C90689E9,SHA256=B486571DD4B867DDE8D16DA3B923985F00BBD5F550065210EA49C1944461C2B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\AADD50C7D49470D6893ED3E000CE7F46MD5=AC779E7101F325CF5DDE861282A9F952,SHA256=C19944F2310A23B57B1395CADE565D2A0D96B9439EA5C4F3911DDB1E914677E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\A7F696A443F6291040DD7D2618F5CECDMD5=7C3F70910695B0DB42E9822B57FF9D28,SHA256=DC9D23371E90613E94F1BAA23AEF10742DDB59528BA768F1BA805EA835B226CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\8B0760B06B11F5417209F3E3956312E0MD5=5C4ABD01538B3C2E8DD8597BB8AC15E6,SHA256=C04042D131A295B0E7E00A47343DC5D0C285D05A94D5218E80609B92ECD0A569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.464{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\88920668149EAE7ABCD4A83C1794C3BFMD5=10E5C35E6889EB757FFBD05E522F3636,SHA256=A1464550FFCE1A30671C41A2F780B75B818C8B2E3229C692E5B50D4E3B5DD06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.464{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC576E746DAF0B18476FF581BD9740CF,SHA256=2C1FCAC97D660C16B153170BF4E5967FDB4F4B8CE8791BD9A2B8A33710C27309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.448{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\86AA981C9D9BAB5A7016AD48E39CC703MD5=DD4BDB0415BC79F0033D02EB40C47275,SHA256=CEFEF345AB1F4D85BE3A86754108D4D1A83AD9CDE5B3FFEA201F84D5F872368E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.448{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\8252FCC23221C66B88FAD9A40F0F9EA3MD5=5276EAE0DE776C129729C59592A0295B,SHA256=4D4CAC03D7D8AD495D46E7ED5451D195926908BBA774F25CF26CA9C05AC7E1C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.448{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\7CD2524F8EF20CBA6AD61D4D3C04BACFMD5=02FB44040407F4A5C00E0FDBB99F6E09,SHA256=C2175810C19335FAB2472E058EDD5EDCCB6CADC2E3227BF69594D0A61514C0A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.448{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\78652A233EDE740109B333033DBF1A32MD5=0362DA866F0BF71642EED099E3CCA440,SHA256=07D11EDC3E12BBE0140C0A3363BEB8D24D367DA3B9A11E4C723E3A61E6CBA1BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.448{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C2DCBD50E58BF6D18A4583013AAD01,SHA256=D291A880F4E12841D19EBD74016C813878A27EFBDB195A9B755307CF13E11DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\6C1226493C5CCE894D83874216B662ACMD5=0A474C7456468C53D936C23C8D36DBB3,SHA256=A59D38936DBE770F8312A2FAA2109F6CDF8633DEE89350B0EE62DFF2D3ABDBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\6A49F9280EA36F78E729D455CBABF39DMD5=4AED5A5149D79C9DC891C97E9FEAC2D5,SHA256=BAE614F3C3D1067BFCBE43BC6F2F9ABBA0671294D13EDC13183442091BA8F33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\5E17B790478B97095EF50BAE86656C6EMD5=E5A2786C79F946CFE23CB7BF946F5CC3,SHA256=137218AAE8F514028ED571C120B111C51C316AD9E1D1FD5023DD7A1127AF2702,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\5C4FEF57A1103DC3EC8BBA5C23AD820DMD5=92946AEE1D74F75C78320BA9C992D62D,SHA256=0BA2734CE239E60CDA9DEC2713B5571BBD20CC442247F00634983D24947760BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\5BBCA962928AED82E18E7933A66C3C44MD5=8341CD233AD10C3937FB1A7BF6B6BAA8,SHA256=A1BDDC06E316CF96DF088AC8EA9666A67F0282E6950564ECB6B4A73183648171,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\557B30FD59E1FF4E0BB535AC95FC5226MD5=95AC0C1F03E6D83A2543CD20313A2279,SHA256=F2C4877FF0923EA92A922EE282177572C347310CF132D986751A58E9E7B0774E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\52A16CF4CC3B7B6BB95CBD13A12662A2MD5=B16694BAC95CAE4332F90D2EC364B14E,SHA256=3B2BC829B46F3AC70631B7B23E3A23DB98ACA9F5B5045A6BA5C97BA1567AB195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\527ED1C8390F58C76437AE5E33E35D41MD5=F5592A2E83217CDB75958B374CADA20A,SHA256=42ECC334FADE3609B33966AB2EFE04654843166F9BEFB7AFD8FA20E4A3144EF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\512A434C5ECE4C78D13C20A57AFD5608MD5=1877AEFF9E765446F2877D027579DC1F,SHA256=AA7AFA1527B824CCAB48C9B5A06F4A069358E61EFB1B724CB5FD7D05C3F9FA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\4C7DD2B9663F41FB0329680A5E50B4B5MD5=84AF2BBF2BC192A66A3CC3D02AF49BE2,SHA256=E78510ED9CFE60B37A2493117DE1B6542C3FE6549C5664E18BB3DB6F639889D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\44E09DC03C072E3E12C73248D40D203CMD5=BD61A041658E33C2C3ED0DEE0076DE80,SHA256=F73DBDB0751C8BA35438D3BC7D5BF16A550B18956A62960A72EEC14B97A8270B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\41774F5B6E9AC2628A4112DE02A03DB6MD5=5F6DC00A8642BEB4B03DA55F69ABE8EC,SHA256=4CD46E7BFCABBF85810E129AC79358C1A30ACFB8CF469CD9F8DCC8AB4F8D7C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.412{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\38BEAD793168371D7450BBF648FCA3D5MD5=0C1490A122FC49EC6F6C5ECA5397C04A,SHA256=B25F1B5AC2F9749315EEDD2A93C4FBF6C84894A4C8246784EABF9842B237EBCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.396{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\29273F82A59CE197CDC79425C9F2390AMD5=C633301E207AA7A2A00E702E24F8358D,SHA256=E4104676CF3D96490BEB849114DA081BD9AFAB56477B2662191C15A02D6E87A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.396{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\28193F41FCB692374C9FFC7C3BA4921EMD5=900C42FE7F3D6AF56C6258598BE7D43A,SHA256=50A715F22674C450FE9A369C44E8EB0F502F9D5C7AADD29122E323FCB1CAF620,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\1CC4D80F1A0877D0EC5CE7E7BC8B51AFMD5=86BA21314B2630D2FB4893260C37A401,SHA256=F1DDC4B22850911146C812166B47B2AAF43D4F9B1F7869E46BEB36A05926BF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\19087F00AD4DA631E9F1DF4B9DB3660FMD5=1E72796C0BFBBAC450596F6CD1F4DB88,SHA256=B1419C6717577D68D3D006277076BC8B03A5420315D2BDE6C595108C9A966A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\187C45C4E50F22AF769DE46BB19D86CDMD5=B73B3994EE9550E7826CAD5972592410,SHA256=35B6DCB46B043BCB6D864821E06A8EB23E1317EAE4A933228372689BA162A236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\1147D9B6434000301E48E7D66143EAD7MD5=7198FC93F4D56F1087951807780B3073,SHA256=7A4D283E1BDB296F0BF2D662F0250EAEF62004E464B16FA285FFF499A834DEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\10E76ADC08650B924384C62B0C2DD411MD5=3D713BEDAD604F2C8B4E8EDBEEF39F4C,SHA256=F7BEF1CDD98D8F0E0514B831AE10904024FAEA75B44A4EB195D5E1EC1D5AB162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.380{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\0ECB1429930139E0C870510F73744BFBMD5=A74AF04F9933217D8D4784C6139DF204,SHA256=BF568AC720CF94B773C001672A6A27068572291731AE791AF6F7557534CD882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\0E87A69F84BFD0F72A99C702B38E127BMD5=C43CF680143A8CC777479977E187D5DF,SHA256=C0CAF365D2131C10B91F398699CF3CA214B2EE70349FCA34866EDE3030045A46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\0A9C1C7BF3A1A69CE92A09E264D1E10EMD5=5510CB4B0607832AEC944A18ECA40435,SHA256=8A163828126ABB50DE166AC412BC19318CCDE03D878CB98402A16E08A27C6F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\0A44E5B349E776A65CF24C6E9F8517ABMD5=AFB4618FCF6B7BBDE5CBF79B439641A3,SHA256=3B72471403E3899FCB462578E4BCE2CE413E5155D43C172DAB3F8D174ACC9543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\Unknown.LogMD5=C65D6CC56B6E3122469A0A7E57675BDF,SHA256=2C31EA0E31B2D427716A7A59A5CC64B69B81DBB0496B280CF74E684B62197BC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.364{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\System\{3D834516-209F-4504-87DD-E4CF85E053E4}MD5=6883F8664C8911B84F614708D48D3151,SHA256=4A61CDFA39445F618940CA5CF5EFB1AA1BE289DCC72663E6771D3865FCFDEE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.348{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{FF796F23-815D-4257-B5F1-F7EB324F4F98}MD5=604B5E95A3C7EFD55E16A91676050A13,SHA256=3E2FF391DC5D44E85B651D1916237EBA91F6D31D7C2A37E475CF29967A9DEC98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.333{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{FEF4815B-2450-41EF-B87D-FC0097E07217}MD5=B87563390C33BD887E6E1DFA678F3ED1,SHA256=BF37AE64A519666672E428B858DF8727F470F2FE3702BC2F1892CD974BDDF2F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.333{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{FD97EF81-96EE-4436-A7AF-669A4B5EACF6}MD5=018CE3A354CC305F6FF735270FD9CF6E,SHA256=52884BDD13A9B29BC1EAFF25AF22AA9C94117E6EAAF580FF53AF21D1DA81F7A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.333{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{FA57A0C9-C941-4618-AB39-630D20978122}MD5=31CE02F98C431CDB191CFA2FD61CEAC9,SHA256=ACCA83C3A50D3945C79925B43E6CE1FA2E9F59962C34609311E2145A867FD21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F82D59DD-34F4-428B-9A90-2915C53E5F76}MD5=C5C438723F5229C28FA0305CFBB4C74F,SHA256=DA2F72507A1D18BE555235EFE7F596CA8484102D208E66F2B1AC3C8AC138BD79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F7975A06-376C-44C8-9C91-051434AF8A27}MD5=54ABC323CAACAEF7CE2A3C1249222946,SHA256=F263DC57BF3AC276227A39D1132BDD14067C3BFAF35E5E17EE59C728E8DA2DA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F725779D-5D3D-4088-80A5-E992AD321021}MD5=7DCCFC3995BCF6342BE9CC800AD0578F,SHA256=4C0280CD71977001E8F4CC8E1011739C15061E7DF07176AB8FC0FE1EA2894302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F6EE5093-29B6-41B7-8CEF-FD8C744866E7}MD5=7493FF027A1BE4D75F9A1A5A4F4FC0A9,SHA256=5CC7D21738BD4A0DD189A4E4F38A3FF8A9F5647D70090C16C2F9175102F21FBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F50E1E0F-5326-43A6-9BC7-02BC62340906}MD5=4A5FD2B9B60D7D8BF8AE65F7C9BDE8C4,SHA256=C911EA2CCABFE1FB63B2B32BE98B527445E1CC9DB45EB09B9116D20869C3AA9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.317{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F407B4E0-5B75-48FF-AB87-CDC661E48808}MD5=1FC56A5682624A475B68FAF738AD6B97,SHA256=926AEF4033B4098DC58FD48CDDDEB7AAEF659794E63C7D221C680EBD446D199E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.313{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F32114B2-32F3-42B8-86E3-598985CE231F}MD5=92A1FFE20B0F2C1F869F4E8EC31B6AC2,SHA256=D242E58001E0F4C81AFB0E716116C790647073A872F37D69875DB0B8032C4520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F1ED5B2A-C1B0-41DD-95FF-06EC688BD63F}MD5=5764622580FEFCEB88589542AA293EBD,SHA256=45247893B027859D2EB7809C691D079DA84995E92117A9E72A5F1B67E41E8459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F19E6FD1-C2D1-4B43-B89F-00D6108A43D5}MD5=D16667C9C073B4782EDAD752A6AA10F2,SHA256=A7533CCD99BD31AD1AA3717562B834A83E19DD8F2F85B6D7768EED92D0549EA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{F17EE22A-4414-4566-99DC-3DDEE5B1FD09}MD5=79E6C5DB4487A8C7477CB1C477B4C59C,SHA256=ED1D7F3062FA591C9F3CB788CDB0C306B4560800DFFCD8FC17048D7F71F1F51D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{EEAEB6E5-9842-4D94-BD33-07EF39E37DAB}MD5=39F0EB4E99577E2D2A63187C4AC354DA,SHA256=C15BE28D39DF7DC2A0061045010DF5BAAFAB1A958E323033B9F2B319690A9F14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{ECEB8D24-0962-45A8-BF51-A5E5503F1CBD}MD5=B323A4808B31546562522A691394FC71,SHA256=72847498E5DD085B70DB67C4F39F95FC4D5960D9E5941E0ACF287E5EF0A2478D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.281{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{ECA8CAD8-0533-4BA4-A51A-2D73F0472968}MD5=EF80BCDFD14ACBE3AA742AC4EAAE828D,SHA256=AAC42DB7202050D10E797E7F51874D439865DBC85DCD2714B4905AC00ED7D046,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.281{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E950208E-2E6C-433B-BBC9-CB7B21C7E338}MD5=B0039F09A450CEE7395F44573791A10A,SHA256=9CABCD247C2CB1BB3208DBE8E23D052C678EDCB005FB5411DDBAD0D37CCC930D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.281{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E67760FD-8283-411F-B7DB-65571AEA72E4}MD5=C6FB605019DA2D7EE3CE64A25B446760,SHA256=3FCF0DF2128ACFD4ED42D39AF57898C704A1850C736C937EA53DD4D740896C79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.265{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E55C5A8C-C569-468C-9A51-237542126B7F}MD5=251D2BAF40F17D0614C2DF51A78DF4FE,SHA256=CCDFE1A3A11C7F662869C345BE368B8B8FA334A54453510B5C9C3D698529A846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.265{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E5416BAD-6C12-4BD3-8B8E-BC84D98EB068}MD5=88EAC9B31A2444A80059C3D8775CE091,SHA256=378EFFB2AFF3F09BD2D2A1B004662663D0483F55332F426847499AF32081162E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.265{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E4F3AFA1-91C5-4ED3-B3EA-E617701AD98B}MD5=D6C27A9888C08D89D6AE92B04F66DF24,SHA256=6B1918A8AD61C6756A7BDDAE7FCCA8B5BE2CA05406ACF903CBCC904E889261B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.265{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E4697C31-1787-4F64-81F1-63A607CC59B2}MD5=431F2A03F8D61C68A13019A6359C072C,SHA256=6D5E3A807AEB8514890A63F773E71BCB5901AC5208CD7B45E496666689C6D7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E3CFE9C5-F08D-484F-85C7-21D614096522}MD5=12F9B71B86ECCD4014C0B4627FA0DA8F,SHA256=FF261F7EF1F9A1DE1CDF2B6C25733D7C4634542C5AE63BEBD393B14BABBF9550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E32B2FEC-C1FD-4827-9537-D51FDB63108B}MD5=C9BE66DC85A07CD0F69F5C120036D299,SHA256=833976FCF07C52FEAC07C92C8C6209F2195F568F57D487CABFBB9EBAC45DB728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E0763248-F5A3-4208-B255-F3BC369BAF59}MD5=F0DB916FCB0B68E5093340A1B34DC862,SHA256=C5D52BC91F0C11065378B9C5A50A8248BF6E44ECCA2C5CA3BD9D4DCC97819198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{E022866B-A96C-4F90-948A-492342CD2C09}MD5=E3E2D5501665201561F7EF9E5583B683,SHA256=85544366631D6D7322AF43E9E713DD9AFA450F54AD7334206DB046ECEAA18858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DFD3CF5D-790B-4971-91E6-5C1230A55EC9}MD5=F3905FA6EB9ABB88826D825EA801A351,SHA256=C4C08D46265EA86B8AC26F5975BACA4E967EC55D5A8A25020677B1C5CD8B569C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DEFCCEA9-170E-487F-9694-C3BF4292970A}MD5=78761C2C047A338210512CB068AA3335,SHA256=3C2F0C40A88E33FA1898CBC95A0430E43A381B4F2520206B9917E9F366583A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DD96C156-C671-4674-8B35-938564EE36F0}MD5=9C51A502EFA26AA27C83A6040C87375F,SHA256=21BFB1230264CB7ACB22EA6CDDD0E154CBABDF4ED19C71C7D3AF3800200E3C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DD260AC5-5364-4416-8FA4-D4CF0523833C}MD5=5B1F9168082D5E4531D406DD30B92F2B,SHA256=907B6EA5F315CB53677186B92DA743553E2A7CD7547A78EC4FF1AA4BDFB71F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688DB2FA6D4A4E52B033EA9110B718B2,SHA256=F88BDE59C9175CCAB2792345C2F765A0FC93B5171203AB9DC0650FAFB7DEE2EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DCB45F8D-D730-440A-9742-5875E9DF9822}MD5=2B2F5013025C3467440ABE2995A14F16,SHA256=AEDB46968EDCDDFEB6A7BA79859B10A9203A3A34B61260672EF87F9226579895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DC9A0A70-A54B-41F8-B6D9-2F1A49E4DD43}MD5=C6785AB71F8FF27248BDF68F78E39616,SHA256=32C02869E3C4F07F8741B16B5D20713B7320226F9B571C4A73443CA44DADEE4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DC6E0686-1052-49CE-986A-479124FBD8ED}MD5=19181D015D055C16BC665687C626572B,SHA256=6D1576FDF06745CFC27ADFD44205DC037A8D3B2423BD0D0D234B7E8F93BD0DF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DC3822E9-F98F-4B4C-BF33-3F4EFFC826A9}MD5=30542096D1B2F242872344129D08F623,SHA256=DA564210140EA30D37E64EC78A2BBBF5F60F731706FE4733FD9214BD757B5D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DB2B4E1D-4FC3-49A6-AFAE-A3AD3AFA089A}MD5=84A1CB4F18280B8DC46AF168F93B0D61,SHA256=1E15C1461C3DDCE70341BB4900CA9C2EBA8FBFBEB4C5BD397D5968A00E8EF8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{DB04BF7A-7465-4F1A-BE55-86B8464C4604}MD5=4F27025B4D1C294737CFCA333479858C,SHA256=C00DD1301057EA59B54F5FDBF23F33F5C13DD08FD1F38798D3E3FBA2CFF056C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D6D69344-9391-4E49-98BB-9EC1B4A415CA}MD5=DB059ACBE1C8A91C3D4C513FBA5E2041,SHA256=55E6435276DEE4D3B4B262462418D85BCB92C400790CF18CC5E3F0992B633CA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D69A5B05-36A5-4A82-A86F-7E2D1EE8D624}MD5=D81155498F565A62977EF2FD58BD1167,SHA256=13878A28B5034C97EECBEAB3537C04FE52FD4FE118851E2C70FBB72E354E53CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D5995F06-59FB-4DE1-B9E9-EACE6F48AEC8}MD5=0591FC72595F9CFCE5853753BEEC8FD7,SHA256=2951DE515BF7EC6DE168042A0955830CF96DD9721BAB82638A63D998FB9F510F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D4773C01-C4A9-4489-8CA6-0DA7002E4A28}MD5=4C505E47BD7F4F831A1AC83A2A169357,SHA256=ABA879D5397530E7C033B49DD9153156943E951E2E5244D50C14E63CC5678E2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.215{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D3B3E705-9610-45EC-9879-C6BEF2CBAF58}MD5=43C7369C28358A1AA5D6C9468796549A,SHA256=33D35E5967DCED3A4694F3455D1CCB5265BA4D098F9B7EEB3CF5090A93FF5B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D1DC327D-5D41-413C-B38A-0D80DE77C28B}MD5=3F70112A925E11F06DB8ED27917E1536,SHA256=07A2D79893A02E29DAB19E834E9B73B841DCA1A3E1BA1617C9D35A3A427B429B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{D1B1D608-6EBE-4E9F-BDC1-6426C7EA2AE0}MD5=167F144A31EA885F0BEB589413A3FFF5,SHA256=F55671AEE8137C6F9EAA0327DB7F0E83A3E7ADA70457874594148D7008B390A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CFD42D05-69A8-4CA9-B185-9C400064963F}MD5=71A56E19F768CDF0624121D7ABA06EC9,SHA256=94DC2DC281347B289D3536FC1DC1E6825109CACD62FA8AF628906BE28533C542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CFAEEC10-BC2F-404E-8C56-DE4F2C87B36C}MD5=65600E4DD9BD34798F9D5E7D9CB092D8,SHA256=46EBE54343341059E987F8FF3CBA308E0CE7815F3D2A199CECFACB317328E1A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CF2C59DA-A788-4AD5-8139-CD44ADC9795F}MD5=385D2FC61C0F317A0FC85473C1F354A0,SHA256=79B1ADDD372C670812A759C5B0941A5FE0DC3D5E3883AE690012CA4CDA8B9692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CEDA107E-F682-43B3-8B4A-7AA54D983D51}MD5=0ADEE77948BA1C5B2121AB654E40FF08,SHA256=A230EFE0BF8D1602FCE47CDA980F22CA5F2A68A2343AC68E33F7B096CB876A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CE9DD0FF-9CA0-4319-B5F8-6B0C60894597}MD5=A479FE0EE14311EB49C69C5225374296,SHA256=B78BF0C12063867439B8DAAE7663C9B37D81AE9BE31F580FCFC98818B8DFF457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CE1F196B-4BF5-424C-BF04-E4F87B0A277E}MD5=B38C08CA9452AA01F80F426C739D4FCB,SHA256=EBA1F905CE6A3F473BD88A169806AA0B65151C5C45D3A17CA8AA7A76ED2B7723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CD6F2DC6-8CF9-452F-B459-E5CB2378A886}MD5=E1D6539471A122F889FECF2B3DD38EDD,SHA256=B6D6FF00710E081083EC6824B49276FF808099A10F9CAE7CA38E1AA7D79926EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CCACD518-55E3-48D4-9C3B-4CA4F236221C}MD5=B2FA92EA7DECB65299985C8ED4034E02,SHA256=3113C0EADFF819AAE64A1AC52BE1E0536CB36AA74D63A3D1EF71CA501999F703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.168{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CC6DFE89-FF02-41F2-A712-B77ED0A846BB}MD5=AC52981EC8257EEE42AFE65B675DC780,SHA256=FA435BC72F493F65146775F3E07F030CB33E863471E99786CEC49857F01784FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.168{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CBC7692E-2A41-49F3-BC4B-6457CDAEFB6B}MD5=D0CB985597061D31BEA3A0B56BF2A364,SHA256=5D28DC5D0F92387C4742CF9404BE2823264B3E8D00582325B64EFCB6116915A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CBAD8F2E-E058-4CF2-BFD8-8E1AEDC20B97}MD5=B523D1304B2F0D0A2908A38257A6C85C,SHA256=2A42A9C0F45CAA559F599F3356858D8F1E427C34316908E5B9C1AEAE359EE7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{CB799160-D395-4305-B173-DCCCAD9DC756}MD5=A07BD87DE0B6C2D55A78A8EC0305CCBC,SHA256=ED359ADBAED9C40BF48B78E8AB50D3311BDCE912CBF5D103EBE9A9EE42FBD3A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C722DF62-F5A8-417C-9792-16DE1A6EA65A}MD5=3D8E9C5433B45FD75DFF69079462CC17,SHA256=D476FA433186B1E03BECD3AB8A34DD802FFA13041246BB295DE533E905334D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.148{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C6D1F4B3-791A-4294-84BC-A5CC30C7B824}MD5=DE89ADE88B0C8C97F3E7A283415A8000,SHA256=2FDC98EDFD3EF76195327D872E24D6F35F81F19AA2E8047A599D47B2495D1A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C4C075D0-E919-4C24-852D-E13780EE4658}MD5=302DD472BDA406CAC75F53565395D325,SHA256=A5B249028EBF84426C8AE927101F1E87CE942F97B772235DF9188CAC50E66972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C3BDCA3D-DF70-49F3-ADFB-CE5D29FC5979}MD5=0575310F85492A9BF3F31C5F3D8098F5,SHA256=FB31AAF4BD9EAE7CC520B8D2D7F1108A70D07EEA4AC6442B9D5EDCB7FF61EB77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C2AF2911-762F-4EE8-94F8-532CA2D33773}MD5=E492707405350C220E1AEE0926D1C70A,SHA256=91ECD325C69FEE2DC350BBBBD2C46C274D4049CD37D8666C89A272FA3CBD0BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{C01B19CC-3AA4-4C14-AFA5-8730E0D5AB29}MD5=4C9F0E7BA202DE3EFA0D3FD7EB9CE0BE,SHA256=BEC7B92BC7E2946B667CBC7A51C9551A6BEA4A3950B8D5D15D969EA270A5D040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BF9852F9-1063-459D-8019-554A967D65DA}MD5=7B333541432925938FDBC59AB014434E,SHA256=ED81D75C4CD564482584B2090BB050469A77AFAE84F9EAE919494DD5036CD2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.117{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BF727C28-7D11-4CD2-8203-F7B1CC260A45}MD5=E8D9D964EFDB1F1625590973F6510A92,SHA256=3176A51E20B6011828F71B1D49FFB99D12A874AF82A9F64B697B24F8C036AA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.116{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BC484493-0073-4E21-AB55-4E00A7E58BFD}MD5=BA0E199D50AA8042FE56A96E9B6FE938,SHA256=C39F12FEEFE3C880A26A83544C4633F15FC80911BB5EE3771C3A6FDCE0FB694D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BB13C884-5D20-4A0F-A888-92AE1E1165B8}MD5=567AF9675D37357B017B86990B74B7D5,SHA256=4539CA179CBF02DCECBB93F612BDDA54598749865B202C3C21D4949F256809E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.112{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BB0CB465-FAE4-47EE-A0FC-754CCF576574}MD5=AB68871FBE1CB062CBA92751388337A9,SHA256=F061E63D3FB3EDA7CF0A3F06A536D51D2425E60C36D9E6B827A27A851DDAF7C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BA77CBB6-4261-4986-B8EA-BFED3D19F89E}MD5=C1D30D7A001B79D3ECB2250A33576D37,SHA256=3A4C7EB740E16EBC23502D4C211C8A865FC39850E3D18DAA6FD54BF3A6D65359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{BA755D44-A919-4B89-90ED-8D83B54F6D61}MD5=3B8C9A960B38B0FEA34CAECEF42389EC,SHA256=87BA71AABC877F67EF8D2CD4E12047807DC3A031BE3D77C9475848466E81FA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B995D253-B1BF-4838-95B8-BCE09262AE18}MD5=A3CC189708E0A820755CD7227B5130D8,SHA256=D1F46320978C7C87CDAA22EEE66D54383CA1519AE9A635766F5C89BDB408CC38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B7AE5792-6CD2-4847-8071-8933D032EAC5}MD5=9483BB8D32383550B70CF56794BD1A89,SHA256=8E58041D4D3FAFEDA3B4259FD4C34FA378ED78CCD581C666F5C511AE2FDC4ECA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B7A0760A-4C3E-4050-9871-99FF08025DD3}MD5=293A6DA482D5BBE33481D3862627FC85,SHA256=DB4BC9F4B278E28EA33C8D6EE0C09C1333999457C81FC0E78EB77B084BFA26E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B61C4D6D-07BC-4562-BAF1-45B47D25F2FD}MD5=CA431B3877A7F0DA03403BC4775B2A80,SHA256=8E30D9FC8B67174E81D4E7E60CC8CAB5FBA1964A0005DF14ABB79BD54C8114F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B5E47FFA-C524-4886-BFDD-E98152617FC3}MD5=4C3C53DB4C12447135EC8D9763CC3390,SHA256=D63D7E402DE1E88DD22AB81A85A8A364C68C4FF3364B40F370B56D756D9A4EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B5A0846F-A5E0-4990-BB66-AAA3A5381044}MD5=39022D3EA92409E7C68C7E9A05F488B3,SHA256=7FA4F547902131403FA87A57504D37A25611781C8F278206E361905B83881F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B35B1B14-29DB-4BFD-A3AA-B29F7D7AF938}MD5=5490694B2E1E178A45FFEA99EB0E9D35,SHA256=76943E8C224DDCA6A25A3938103E18582C2223DA118F320EA86D64B9AEF4894D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.080{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{B09CA134-4A1B-4A3F-A448-66110086FE87}MD5=69542497FE36617DF9DE409EBB9D8B0B,SHA256=3FA3CB69BFC893448F3DBE1C5CFDE10EFEC2995BB50C1AED5D5A2CB2E63B00FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.064{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AE2C18E7-7BEF-4790-A0D3-EC5B8540C42F}MD5=ED25EE991E02296CD5FA61357123796D,SHA256=44162516A91BC1C48EAAFDBC91528967D11B71F37EB79A2C32D899E5E271B36D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.064{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{ADA4AD01-FBE1-404E-94EF-3496660B4874}MD5=18168D2B1AF08BB75483744095E0789E,SHA256=43E5973C0F89EC0A9E121B7CE5FCE348555F75550FC22DECEA1D146952DB8F03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.064{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AC719959-E638-4ED6-9592-1BD4DBAB2620}MD5=DB37096EC5C6790AB8979C9A773D89E3,SHA256=A18BF16A78366143D1AD3E6EBB48630968CF4F497685E33EA72BDD94409EA222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.064{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AC51AC83-7590-437D-9D1F-20A37895C5C6}MD5=775BF4B78753F200A054E6D5A2A41CE7,SHA256=8A5C5E2332F9730D7ED2AD4C8C373C378CE096335B00EC47F892B4797899C306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AB2C08FC-68F9-43C7-8F5C-7AC7BC7F33BA}MD5=7EB2F65C234A44AE208F1C655608E379,SHA256=61E8EFC14C18FA3978B08DEEFB753ED576A67581BFBF13FF3647B34A6D3FA5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AA9B0A77-0BE3-44E8-8741-484541C4464F}MD5=4AA14F651E6934D9FC829104693B846B,SHA256=27789A77E490E7BCDDCD6E86F1374E0BF299DAA2B31FE39EB6A4A343904648C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A602579305CAFF24FA84F48F738BE6C,SHA256=63E7DC30500A53FD650BF8A6295E2E6CC52EDAB8E6BE7515FDB352DB5167D24C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AA753CC6-5B64-4AF7-B289-07D5105ED853}MD5=8BDBAAE8EC81AC7AFAB9EDD070391900,SHA256=60D748550DA8497F89A308C165F112D880FE0809B751432F88FD99B061784583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AA629C02-C116-4720-89F0-4312B07A24A7}MD5=DE122897E23689F51417997714AA144E,SHA256=60A21932D07A04551D7E908FAC42D6A707E660F2D230C38FFAE7BCD7FDFF4DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{AA20419A-E28C-411D-81E5-41B4D11D9B18}MD5=5A72FFF9B71515FDD9B2EAA587735C89,SHA256=1C5AA833E80442979F4E828C69387EAAD3D4913F7E7F82B62FF72C7E0C6E1FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.050{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A9F609D4-DE0A-4AC4-8FFD-4ACD03DF3CD4}MD5=AE88DDB0A406E61C7B6C07EDEAB0B336,SHA256=18D18A4AB631D92D79BE6B8C0E29A6BA977221BE0074DA39C6CC1A1CB0B448AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A95945DD-EA50-46FE-A809-F521627A7FE9}MD5=C8BA324D0A30DA1032B5366181602E41,SHA256=48950D7CC146E7E3C86FF29D77AE9F2B81BAD6158530B14C002D081D217C2C89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A8F48705-06AC-42C9-BDFF-4344C390E561}MD5=71C1FF15F18B99AEE961D20810497646,SHA256=97E94282754EFDD177A5621EA9674B4F93B49ED1833212144F2B45C499178229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A7B4411F-595D-4C06-8135-E53B1E24AD56}MD5=5CD9AF932884B5D03C26F78A622C9F33,SHA256=9195BD1D29050EBFE8DAC5D285C0CF148BB8D98D4416FE5312A36F087793B261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A7AE22F5-4FD7-4599-8FEA-15B7C65CF9B6}MD5=D33F23FFF1867D70FB08860F1668DEF0,SHA256=384736297B4321669DCB0020065D9E8CD826A6D9C076EAD322C9A6E729322514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.033{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A74436E0-35AA-4FBA-976A-36974A2EFC97}MD5=134F0FB58E049AA79AB0FF12F8179B9A,SHA256=9169E58404107583C688BF37024D51469A1EC58928EE06363282ACAAE99D01FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A73354A4-DBCB-40A0-9A4E-D318AA3611A4}MD5=0C57E3789B21EE7E43AD57C3C7790D47,SHA256=7F56F56EC0B5A453592A09F0DB43173BD3120670A672D94FA8AE32C8CE9865C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A7283017-10F7-4FAC-8C3D-914E1BE6CE78}MD5=E58FE3F4E8ECDE31ADB80FDCC80BD84C,SHA256=E2061930D73A406DBEDA30BC891B0ABF5F258EED98FC19892E61AE1DC7D0A658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.017{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A6AEFFFC-3AAC-4477-8F54-C80641426978}MD5=B23D8F69E7D10EE49CA80F8283FE71BF,SHA256=3A8FE69083174F3E2EF2C3EE2F6BE203784C90E342BC612F343F13B80F89C944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.014{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A53D282B-F52F-4CDE-8CC3-ABED684FD739}MD5=1D0911D2B18912837F7D0639D5336A29,SHA256=840F45C954CF32B38B75F9F28727D144F6215757F7D856EF01B775B51EDD50B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.012{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A4170FC2-6080-43E0-A679-DD84B69E11CD}MD5=4FB25D17FF31D499335791C1417C296C,SHA256=D59E6997A916366203BF226B14B524DB2D95E1D56D6152712F4EAE07459BEB09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A0AD5F53-3E45-4F19-B06F-B53E5A7F4E6E}MD5=1462EFFFB5DCB4F6811DB8D27B4D9364,SHA256=091D61C7CAF06FDAC77F14A59FC3466FEF62DF2753C7D92FC2D94F1E9873A9FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.995{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Results\Resource\{A097D8AF-0499-4E1D-877B-241E12887577}MD5=257CD634623E0373F7125611618A69A5,SHA256=97A231A7F0C4B3FCEBA76958AE41B749664ED08784DC6D6FC4D3543506909DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035487Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:50.379{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CC49EFA8A8B7A74E5F7C1ACCA85963,SHA256=DB24989964937ABDFA68321E1A4F63D47EFA18D9A0857CB8FBB9914078683D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.870{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.01MD5=369A570C5D1B91ABF343D3645CFFBD2D,SHA256=8D26D004DC1AF5603CDF27DD22274906BA2B0DC2AF1EA989C478CC379456F30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.853{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.binMD5=0A4D7953DC35B59757C957F514430C07,SHA256=94D82119CC838D3DE166AC7F064C4E45131C81398C471C5DCA26C2F0F8BFDA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.701{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFA78B53D5E4C553BF4DAD1CD9C71C7A,SHA256=0A112E8E254B5C6F9DAA6AAB38951D443E0D183FAD14DE129890E1DDB1F4ABEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.597{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30E3704CEEF998EAADBD68BD3BB35E4F,SHA256=19DCF25A6F6E07E5AD3D2C2D5583CAEDD09F076D554FB40D1FE9892AC025E2A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:48.099{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000061586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\Scans\History\CacheManager\7A012CB2-69ED-4AFD-BEF6-F12032FAA46EMD5=5DFDED768AACEB394B5DBD7FA665B45C,SHA256=8DBC21201AEE976D965521959BDF362C74F1C36208FF77EDEB9203AF2C43B00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.480{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\feaaeb8e4c4b2619e52e7f5c00fd79ee542887b4MD5=502424B7683C505923BAE40574790E7F,SHA256=B705F3D62D5CFAD461B7900EF98A66A3EFF10D0F21F2A55F87FAB2234F1BF35A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\fe411d12a874452bc00e2b9293eb73db2ca96231MD5=310B1DFB0488E14B6D55116F728AC513,SHA256=2B296415A4A40C957E5E2BB8A58CCF748E5DD9E40EA4C2DFA3CE63BD15D49340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\fd59ff44bfcbf04558d19c175e1b7d6fa8709243MD5=2B0D85B7A7369953B2E24C78E7B477B4,SHA256=5F625B473AE48A138BF3FB7B13BA01E257AF41395F1159229EAD4C71E5C057AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\f9813ce4f7194c1139f391fd5d9c378be33ba364MD5=77139BE822359D17308FCFA996417907,SHA256=1C64E63931D999B559BB4E0F8BF81B257739BEE1993214FC3A0B0663A864EC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\f70e9af004b60962540071bb9537071faa4d248cMD5=1B3945602E8410B08F224ABD15EF7257,SHA256=2F593C5419AADD6B92F1A9029D53F3302D829D3E265D0F0D77F77463F6C3D785,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\f60fe8f2055886a53a2c05644ba1601dfdcfca7fMD5=04517D11D5085157843B1250FA177E8E,SHA256=7DEF659E9F2250DC8EA4C73404CF8FCF133E27522DEA68A3238647CC0FA265CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.465{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\efa0174acaf0ef39dbafad8ee6aba17228dfc224MD5=CF8D423D98E9069AE6FE667FC5F60218,SHA256=DB1FBCAE5C11146232965E287599EC3897695AEAC373A5BB9A12A9F7C685187C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\eea8bacb2bc41c42ba680aed503206db8729ca54MD5=6E27781F4C18B773178560927111A44C,SHA256=8E4D6DE31A558489BA57193DB7ECF6AE567CFB8F707B448789EA1391E2B0E8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\ec91737c570b76abd62af6bb1da989a52313a68bMD5=C2F752E1E981508630FD7703C8D3ACE4,SHA256=EFCE89F264B6BB55640E9FE21EB822A4D004C7751CD17BF971F64E4A40E1B88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\eaa110039702644bf30579ce27273411ad3ad964MD5=86AE1D8E592017E430AAED2BEFD997C0,SHA256=E602BE577C7CBBA80B1D0161206A446B6916B5A545D26DB8514396730381D2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e8cda0500227dcf550f113fca11d87a9f1ef9644MD5=A22F9349D7A8E409753C43F1B11C8F0E,SHA256=2E3D387C72BB9DB9BD3768F1EF3F9127F0F1597440931389927C893E68816716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e7f3cc29cc5c0cd68dbf2b8cc96980b333792325MD5=0C7BD95653AE034A4CEBC549AA083319,SHA256=A95A66E10C2D8314B198EC927671FCAFDF094CF40DC29D3BAA2DECA7D1D69A06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e60d18f241f46688a2b2bf82c4e39e413b31a6cfMD5=F605D5E681FD1963A6838CE281683AAE,SHA256=CD5EC7339B6617DC257251DDDE308E4C374DEF9A9C16B6699A8D55A193890274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e433058081b54b27222e8c7a9ba4f478c0217218MD5=DA4A03A73E06244750968816F566BCA5,SHA256=09A8EC2975F5C5B0983C73E8BF0222A85C8794B124A0108E601B33B273CFC5FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e399150c48d303756a75665d1e45673829f65cc0MD5=9DC96A0D2EDA2F9806E2F85BFE9B030D,SHA256=FD08A38BCF54F383A91C5DC09EBFD7B1CD5C406E7B071B73026C20C5FE5BCC6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e3042e0a8b93d0b7a58ad0b332f859c9cbd42906MD5=293EEB6FE0621457DA9CEA753F1797B6,SHA256=0C83295DA849AFF0B0334C26B468871F86686BB0EBFB2174154E080EBBB7C7B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.449{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e2bd5dab8322bcc867acb0e837efd24bcd46244cMD5=BDD64ECED734293C07565553814E5B0A,SHA256=5E4F23782443C08276ADA6FFEE285CDBB2F9529BCCAB45DD2DE68EEB4DA2CE3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\e180b430636434e0ac8dfbf55140928194d2d9deMD5=580D5C723DFEEFB7DEE9716B38328F5D,SHA256=9B16CA79095EAC13A7043A87779CE5E928DA6FC3E8CCA78CEADA58D5EE8F25EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\dfd41fcd89301264e260a8eaf831ae07f8e431e5MD5=E6E965095AE34248584737A4D3F6DC1D,SHA256=F4C2AC3876C5878BA593D4CEFA0BBF533D378A2E2941A584761979B647326572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\ded1b10b31f0818ed8bc5c7e75ae3d61aafaa932MD5=E686D5F21013DCE1FF898FC15FCA127D,SHA256=F46553EAE62E0D9CF77E12961E1833DE3FE32C58C3F0A045FEBEB3C2D1366621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\db2ae8bdcfb39e3d4ba1bb22ba43c4cdc1e6be4fMD5=8E21E72155C2AC315F16B85C6AA5A208,SHA256=5051CD9A8475E2D925A98950DC345F3A0612E7C095741A12CF154E5FB3217458,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\daae03cfdc51e3c9e0aac40762ad09d0e3979d85MD5=D0FEDCB2E9009F815CB7FDB6001E6A70,SHA256=1430909BB4DEFBDB00B0A58BAF194E216E7EB2DF6D00B549096D3850FB36FDB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d85081fffc51017707a997e1ca8b41e105dfc0b4MD5=808679E6FB4B45820B4D445C23A2926C,SHA256=556DA1A7A1639B355E5FB79D14227210C1052306C1A0787FDA866D4405616F72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d6e8dc7edf6da32973747faefcb8597fc7f94800MD5=C42DE44DCCEDD56C6717A986D7EB31B3,SHA256=A6B7C302561AEA6E0D4C179F356E0D3EFB10E02F23CF818454F84DFD3D62F7F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d6c5b326df0193e6ba5f056b7018de09f34af355MD5=61150E0844FF4E2D69D2BC0E16EDAAA5,SHA256=4FB8059974EEBFB5F58F70510C2CBBC7531C426C806218A79B0EFCAA2A128B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d6a669b3333dae7cbac7223e4d2fcf9208c8a74cMD5=A617820304BBB0315C4422B05A169509,SHA256=5F4317F918CF1A019D49A792A750F3674B79E7C7F3B120B2B50DAE94EDB799A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d60559b3310f0e7ffce87212589cd819a3f4e64aMD5=9349E4D4506B6692C55AA96B53F79AB3,SHA256=4835442E00AF01070BFB2EF6F26B904B2A5CFD53139744ECB334BB9F40B2FC65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.418{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d51d91c684291eb6519b8e4505b318cf20b6b7a5MD5=14C0C6C6BCD376337A23DB13D94A3268,SHA256=0F6CB36A5C0800BFFC54094AD05293AE5E1963358FFBABE63306F23DCCC47D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.418{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d3099aec7081590c53f0ff64c6594f197e179fbdMD5=8110F6D9A5C7DB6A9F11C6FE65743531,SHA256=A10928FBA66261338DD999DE328DED96EBE96B8F3B48A7CD553E09F008BA739B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.418{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\d07319e8fda09706c865abfc988d5ac04eb5479dMD5=27EC660FD29E3531AA7B3B37CC025F46,SHA256=CEC6BD16BA0BD316E687AA9C6BE3009AC1F0908A72EF82183D6C012F19C8AC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.418{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\ce5bf601c52eef01420188f39c6314192e562ff6MD5=E9051C788A42444AA54C6B9A08AC4AA1,SHA256=C9B0F201E62E1C980488C3CDE991C04FF0EBEFCC0ADF3299E6929FD136E5A4E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.418{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\cdfccb20f5e45f8612719f16a0f655b9a7d9e42eMD5=B6D5A82C930481B365455EFDCBB264EE,SHA256=34DDA191833C4211CB9AF2E84990430A18FCDE3CDA1D21E15FB10D57EA9132DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.417{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\cb39b8ef01792457ded1ee049df45dfd2c137c27MD5=6B432526C774840CF25F343439D15A40,SHA256=352D8163CF79A00AB7204F85BB087C910755B8423AD7B09DA20C4C1166B54AFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.415{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\cb39b3cc5220da0398baf78be6de7ce430e87f48MD5=ACE005656ECD331E40FC25D17388E374,SHA256=49C946DA504F9DEBEA96CC54BB1A8990A31A5F61094006DA2D19130A1C37D248,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c99b6a6eacc065df5263ed8cced2af892b4965ffMD5=35DE4017E74FFE78EE3F32A217798323,SHA256=DEEA5B50705B4D8F7F9F73BD258EE0F2B31584E6DCA40A84FCE61B861FB7771D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c810e9b5bade265b9f7a779ccc936202a699cee4MD5=BD6F3D95371775CCB5CEC9D9ECFC6E6A,SHA256=35B8A2E7240BAF68967930509B573A6FFB847FD49B062FEE338B8A022908B392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c76d0ffcfe6ce1277e511fcf812267db80cb2d28MD5=D4325E680A2751D6BD37AC86E8151327,SHA256=1B3C7CC284FF15659A2C348426610ABA96C769A2A0446735F1C77D80C770CD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c72d459de671a215b9c7d9b0522c2071cc814354MD5=C11FCEED3F50C9076E7C7C3790EFF998,SHA256=9C8AD7922F5B00E09D8DABBD1DDC709F81EE08D34EFFB183CE210623D5F4BA23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c6e73ab5f57f4192b086b1c9a59364acd9bed7d3MD5=4AB9DF982D42A751CB8D01D3F4D2978B,SHA256=219141174E88EDAE02DDFED63536128F147138CB59492EEE47325E4E4042A54C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c5638bd37bcae8d31facb3b021145ca3a19b3679MD5=3BD6D367222F21285A3862FAAAC2DCA2,SHA256=553A5DE9485023A9BDFCCC48CB26A393A3135F0A245E3DC14003E0E9218260AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c2fd682d30f3c90756d6d60cca1440b99bd084b2MD5=2BF4EB8A5B6508FB09EEB28601940417,SHA256=80C9216D48707D381BD40093D32AE441ECF6D0EDCD1BEAF2D854F986EF675F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\c269a6763bf9282f71cf6b2ecb3314ee910f9d60MD5=BB16D6F126A37173D1C15617F247111E,SHA256=D9670A8E82265BC86BEE51C9D108ED0504836253A930911108D9A03575939F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\bf18b21e1f8deb6c944cb9f73c4b3f04b3dd3f36MD5=509F15A982255AF9857FE499265D3CFC,SHA256=BBE12D442172B1D1354BF8D393EB75E9557C6CFEF544097918FC580839B30787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.397{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\be4567ddabc2b223e385ee6ea3afad7e4a45e1caMD5=0B02917BA1AECB00EDF03A26666BE7DD,SHA256=116A36F459C03094C062017120EC265CD9FB54D97C9E613FB113345A742644FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\be20f9484669f31c1865d4902805dc939587b8e7MD5=8A2AFDBA421356F7F09791BAF8DB5B21,SHA256=35C3EF4183AFAAC12FD4B6EFF592398544AC69903887045D92C2C3C28C02BCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\be1b54c2ccbab114587f28e175629b960fcfb481MD5=272E68A4B9A56718B44EA7BC5D182352,SHA256=10AB9E2A48249114CF55B57452D89C2E608DEEEDC72A06FD5765D2DCAA064783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\bddad42ef70f7279c7e2b8ff4765684d436a19d4MD5=E3F0D8F8C70CAAC54D8D23174CCB3A0D,SHA256=7FDFC884D11D722004A617E82273AFD3CBD16D0EB3F9288BF5A2AFDC75C6D990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\bc8922c62531cd496ac0fb33832429d11e3b0afcMD5=55B36A1DCF1A1ED7C0D114CEEAB29BC3,SHA256=6B86E827304FB4AEAE21DB4CEB66335D30256A7DCD0CD17C826C0A16F887A574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\bc3f22b9a998604f3abec1b47dcb331240f51d13MD5=C8216BD408E66D783F637AC84DCF2553,SHA256=923CD70098CEA959F03DF23C4B87BAF78A680327F82EA1A399187AEE782B5F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\bb96995d2f45442a0604ae9d30f2ea3ec12c5e9eMD5=A9CA55469DBDB5AE1CB8980A6C21AB3A,SHA256=AC8356348A2B578A960F1DD75220F350DC2EADB3FCF30B7A4176AD11D3CE14D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.385{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\b8d04d7b87f5ccbeb18d0fd103fcdda2a696d048MD5=9F69E8CAC6D56EA30A65EDA87B1C4325,SHA256=2C1E0F3B4645EDB24F15F06F5A124661A4986729D3B2EC85B648BE92E8C14666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\b5adcb84f9bec8a46157a0dbaa9bb2ada05aacf3MD5=63530B3C4A66A47A6A628B9279474265,SHA256=7EB968240D568F2D39980C2A20DA25CE7606F848FC3153E23D4600C36CBEF70B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\b4f0beed7c8cf21e2ba5b42cc2fe03d8c7c685fbMD5=6277C217FD5E05F045CE7013310EF1ED,SHA256=68E24B7BA000A70E398E4FA35E35E4C6AE2B84A9751C63B73118DBF2D630C92A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\b16650e8f00d10ff1eaeb756e08670a9a2fb94b2MD5=1316334727D011EEA884BB55A3C2BA65,SHA256=C01C521595A754FC6F52C5674D37DB9C72D7DC8663A6FD0F400BE9818823524F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\ac44f2bc7df1957f4ce862e2a0430e29946f7895MD5=2D7BD10C6CBCD1C37B4B085352896BE2,SHA256=78D0DD4D6C09DD1F9A6CEE438BE3D0D08B8DAA9DAA72B22304E61B771E967ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\ac29fe00bce19ec8929296f9c4cd4f7406e0ce73MD5=125253B6800D1106DA147544FD62AE57,SHA256=AFF07D0D1F9D6ADBD17C943CE7919C55B627EF9197A90953CC74DB0783688EA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\abec3f08a1437341998bc40aed516d0c73ec3ee6MD5=9DF489DE5004E168B867FEC88113C5A5,SHA256=9F3A8CFEC222E7F2D402CDD3D8CB9884DD0F731028A4889B553E9FB33873CCBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\aadc954ae9020c523fdd31d9cc02e00ad374d826MD5=769C0FE41E99169CA429FEFE1589526A,SHA256=184B2190E08AFEEEFA3C413EEB25B4702E26560B810324D1AADBDE218E255EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\aac7e921323cb41c4cf82a1a215e9e5c8e171f6dMD5=1B7FBB3FECEBDEC27D405320CF49747A,SHA256=B12922CB6522206A420AA8B33A1D99ABDC36B3A923FDB27ACD958E31616E4634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\aa4f5c8703433c1595fa3bc84484197fe2233bc2MD5=ACE2CB924812274A6D70A9C475D6AF60,SHA256=EB2A81BC7321E43035A8B3C038B61B9530444BEC0BB158A55A9A66B18F878427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a8b34799a5d762d1f9ac0015b99638b3e851cbd8MD5=B23EA80B9DDB6DF67D02496949EBAE81,SHA256=C3A113C77B849BFF5E8A3E606AD77404BF0DC6A5312BF629AC3B7C018DAED63C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a63916a7cc26471a1788192f87cb4e89b5a46b75MD5=9D3841A3BE66601435A4B8DB4F25EF93,SHA256=8B9A9DD0F6445AD2A2BCB496B2C777881DE0F37C8A5ACECBC596FD7AB540CA6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a29c9c19925af51181d172cf0e4056b033a808d5MD5=17525708C2E5B69DB1A1A967C7ECD15C,SHA256=291F0AC0D93607782C0FB172903D64C3359614A95A80D4C29B6DDE660F9A00C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a1e4fdd55f5d44ac7b84a4ea0b82d6767b359d6bMD5=782AC438B09DB679C8CCEAA74E690EEB,SHA256=16C3F8D5A6240AA8FAD1B60BBB4D2FF3EA997AE673B7C02E8A59391093DF66BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a16aa44c06d2ab15a5ab0fe2f6d64e8e0ae06867MD5=3CDED76345B7432C3D8ACE3701FFB7D3,SHA256=015918B4F758E9667F5D023B691A64E5F0BE92C1362B2B9EED709548B3B83670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.350{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a0ef494f7c912415f8e8721a02d12cdbc50e928dMD5=E85464F8F708F92B55E6E925ECE897D3,SHA256=418B1C3834F5C70EE901FC35D3CC7FD7B75C670678FA69A1C81280934EA8B9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\a0c277a354ed69cd47f1394af9537ee2e7464475MD5=7CCE22D521EE6C804895911BCF9D2BF4,SHA256=D8E0EFC6B7CEA86E6FE6AB773EB5826960BDA60FD5A6D42BAADABF4BA5F03850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\9f1f190c3d6d02cc1e2f295c282a0eb36005efb7MD5=9ED68F886559E853DF0CC255FEFD26DB,SHA256=57981C8B833C5044DF7458DC74607CABD30957EC53744ECF9D39369C6CC63B64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\9ca3c0e8df27ba884a6d7512697004ff3c241c38MD5=ADA6BB38666CAFD032A09E559E7F3D4D,SHA256=536916B71231A60F8135D7D8A83F862CE9E2C3FE78CFF2B846378C28A7E4DAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\99a59c1db34ea398c9114ea5aea5051927870824MD5=436938F3DCE7CA16F170CF32675D504F,SHA256=047CFDE07002BD5D97242889EF48DDC457FE25624523ECDF6F53633628AC2E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\99887a0914320fcb54b835fc6e23656c401d9573MD5=6F0AFE7794AC2D9590E05DDB9C7EB9B8,SHA256=BF79FC55821A57BEF4FBEF0D05ADDDE01AF4A97A19C2AD4E9C042BE4756BE518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\9785bcef0b9d1e277e2a17fca35f24ecb7ea2dbbMD5=4D6F50D60CB2CBBAC391DAF46704E2C3,SHA256=D48874330F56BFA0B6C9C724FADD75594BF2D499617F4BFB9A9237BFE0D88963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\947e38a8c199b9d4fe99fdb0a599ef76b8d00caeMD5=14CB6B0AEE5E10AE15E503144BBC832E,SHA256=EDA17FDDC803090B61B25EB25590E8F4B7E8B26C319F272C11E8195642479ED5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\924a65801058876f66dc233a8226e906faeb1becMD5=06888EA4D8EC25949A5CB5C35270A492,SHA256=514C0C19F68D88D03FDAEF746776BCD0883773D1ADD48B61379632FB1B69ED72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\8dc0f509670676d2a050735d9635f6033aef1507MD5=7755BD2B3C7F765C2B68C51F4273B48F,SHA256=4EC6B59248FDE8013587C55D06FD0CFEC9D08DA0BA212E5E92B2E0492B3A4280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\8c6ce91fd1040cea221b6a0231a0c3551f539180MD5=C83247CFDB73858196B3D93A2BC0ACC4,SHA256=24F2077D87ABBE1FF8969056A9281847D5463ECA452F17D51B21D869A4A9546A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.334{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\8a2903175c25fc34b0323502493f988222f4141bMD5=27A1146D11DB7998487C647D3DC2F893,SHA256=C9A7682E87A62BB2A16BD56CD14988C51C678E1BA728DC7B83AABD59E53D248A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\88db5cc372f8651df24c17c63db64b52157ffb2aMD5=F21180DBC1DAFC06CEA042DE901E368C,SHA256=D8A8867556CA80E9796DD63CDAF00824A3A586FE804F0EE4CE8B45F6F8637A3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\8693d7e3ef29891848329386b62c92a7cf3ae746MD5=D1D16F7F80C96FC1DB4C999B8DD12F41,SHA256=56612769E3596DC8E03DEFA86CD2DB9A3F62ADAB47D3ACCCA5862C25D7310FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\84f10b1a490992505726a11762f6b727a4f05092MD5=4819539930C18F5CE7571A52DD26F073,SHA256=4BBA89C9619361B47BBEF823C71D1FE30F2F9E6960356CB1BA796C725851F571,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\84d49cea2da43b859fd6d3c2aa6441468e49179bMD5=C576743B6EA8A837FD682535834E5001,SHA256=F39932046154F418AC2CA340F4622FD24999F18AD6F576FD197DEA45DAC5EEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\829d0753166bc8ddd265c4dfff39358836d44afeMD5=BDF085BF9F960CDAFFE1287568DB4746,SHA256=C009D6A7720D480140E339F5B71DDC7D68BF6E4322C7B89F91388952DDEF7CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\7c96fb61c543ae85c8b9ae63eee7f2b637a707baMD5=E500C65C925CD864C76C5B154CA8F9D4,SHA256=FC32E72DC183D6595B8561ADC2BAB4B8D5F7481D122ECCDEFB136D79090F7F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.318{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\7b5ec008f25a7e32e8b5a9883e5d2fb3f0441756MD5=31B4393CB53E236F4644F0874AA9A45B,SHA256=C05D000F37BDF7082226F01D13AB8EF17BFFC50F6ABBD3741E99605301A81292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.316{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\79d957d1ba38919a1353e91162125088a29a8360MD5=76BBFECD01DFC79AEE5B0E1A0B1541C5,SHA256=FF4ED6D22DC700DE505E38EE627EAF513C89C491C483630FE1679F4D8B18BCCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.315{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\7901d488c3a11db89ae8d7e108fc5cba17787c64MD5=A5B90CA33E82B2C628CD998BE71CB036,SHA256=43F9279700E0A725DDF5BBDEEACC34DC5D87F9159D9F8F39A7AE4691244445EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.313{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\77ba2cd1c23678381fd85a4feb915085db5a3cddMD5=6E59CC373A6E57D3777C39BEACC7908A,SHA256=48872064A0397FD5BB149AC8DDB9C2523039895C3D339CCA8F7DD06622BC2B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.311{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\766aaab57c4b27243cdb4b46afd18d3b9bbc92bcMD5=2B60EBFB6F258BAAFAC6D76EA9E3E02D,SHA256=5799F2BAA83BC96FFBF4B438BCF9F0731CF7AF8821FD13E787F58E08E1EA2CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\7260073106f223a435f0f4a81df264cec08a8c0fMD5=24F0EBDF252954E841F1731315D38068,SHA256=6B4E481DA6D7EFB907346D2157219070FEC27B41483818FEEDEA30E36A4CC5B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\6fbc9585e2cc3bca7c6c5eb5413e6c20c1c87b13MD5=B4480FD440621AA7006A6BCCE05117BE,SHA256=47F1197086292AA8ED8FE18F3D066E662069D5BF424DB68F5468013381FDBE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\6e09bfda1a5533f5efba28067f000186fbaa9503MD5=29CD79768A7EB023F6B547F5A6C7A31E,SHA256=8BD6FA241788118F2C19EEF236D14E9E23D62D144CA1880ADB22952BE16D1F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\6cfd6eaa1d56a30d474640331b9aab7c9af222f5MD5=92A2007DACEC74C8729CA626B0C22B8E,SHA256=A6BCECE5241F12292099D80B8991C2A5C5B368D6A73AD05698912C60ADF0575E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\6c3ad2d15d9bcf598f865092bb73220e621179f4MD5=FA71D7E0FBAA2787F1031DB03ABE2E9C,SHA256=E8AD3B2C9717DBCEF8DC23EF1134AB2E2D5636FBB9EBBC86CBCF0DC3CF1271EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\69180e11090e0f915d0e3b719069813a64ed4150MD5=898B2535868CB1BFD62BCB9509EF95D0,SHA256=EC5C980F1A16F621D6A23F6B4BD7333B6368DF7DF3169D5491E895052C243913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\66dfca6d2442b0a9170a24ecebdeafce4d78b88dMD5=4A5FD19ABE16388FB805084D6E62BA9D,SHA256=5B36171DCF72138EEDAA1AFD257255C76881367FEE1E75C763C5C7AFB405993A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\65a242421a9db4b0a91f841f415baf4ca873361fMD5=D89917A50114DBD3096A86B5D04B1084,SHA256=61AEA0B7D81F1C6A4DFFF31A8943B3C3B6C6187D2AEE53C0D66BFCC6AC533442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\64e7cfb0cda737b87209a9b02ae0634eb884b500MD5=790FCAC773958F7D291F9EB6C178F7A8,SHA256=B0C53C079577CFFF28769C25BAF3B2A53BA1A40E78513B463644DF356B2DA2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\636c16810d7f79c4977f95da6a40fb9551779384MD5=252B243BA807C1A831134FEF5E1088DA,SHA256=2FFA9971E1024646C312E249B1FA38B27B3AFA237EECB65ED11F2A9940D4E0B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\62c9b52b0dc434dfcc4c7f2e51f15051d5ad434fMD5=151A53654A78DDB1D539741721437AE6,SHA256=BB970220E1A928D7EDD8CF22E56354C6C78AC3DB78D1861BE7DACC7429457CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\627e9fd5e3894395feed974579f0b84939390e04MD5=C2EA7032B6983EB361DB49022E1B8514,SHA256=80E12766DE0D96D8A6531E2B2F33ECA386DABD5437387B37755FA3AA41735CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\61e3a4057422102d4607dea07ad9b029b96c5757MD5=1CF67C9381B2B547834DF6036298211F,SHA256=9F8148C5E57B7DBA4C80CF66DB957FF279B5AE194660F48C0E01F67520DEA26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\6059fd06be38c5635195a473694b9f50c94e7209MD5=D2C99368E14AD6E566FD643D65568446,SHA256=18AA9D73F4721427494C71793D4FCD3656A22DA07658D1376E6B24CD7DB6DB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5dc97e775c535812b5920d203f1eb2bbcedfa789MD5=EDE898742D5969830E2ECB3902574A54,SHA256=E59B32B935A5FD2DCAFFCF9EEE0E906B69A750B5EAB5AFDC8EFC20E5F6BC28B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5c85ac0444b519ff540c816ae63ce9b596bf0056MD5=6588C6E70239ACD562970BA1D8B0DF57,SHA256=A8A76B5E2B0549F493B63EED6D9E763C82FEF2D90F9ED56D6B9804DF4D436A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5c767e140d2866fb3fd95c0488dddbb6f0b343b9MD5=082BC569C028E166E4B41D91A538E3E8,SHA256=704EDA28CCAF9D416A862B61C5C108B9C800AA91F1D9C7FCBDFEA2469ED6932F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.264{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5b169ffc0b98c571deb3e592bc43a7e5bdf5e663MD5=9187C189B80601F2E53207EC5D0F2EF4,SHA256=84F4BA45687832B344B9B79D286154D9A439461CEA965ADA2F309A1C02C4E9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5aab7a5c9b9c66151250a381ac6a8d15384caf7dMD5=4CC6E10C8C33A1BE2C68AF644F0F6EAF,SHA256=12D6E7006B7C3452E06AB2CE55CAE6E13D642CF4319837ADB8BF26C1CFF91D3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5a58025989f7ab3d8ea7dd492ba242d3894a3bdcMD5=702841A2C8275D07C9EDB6CD342327DD,SHA256=41C74F63E23A56F87DA942BDCCCFD7F8929B6AC0BBAC21BE6F3E09394A3D969B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\598579f498bd87326a826e580fa47c483c973801MD5=011936798852A8A6249E894928ADCCE9,SHA256=9A463091B5C776C77DD3FC4FBC2005FC092F357C7624EE7AFFBEBFF489C628D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\594fdd356320bd35f73a3d820c40a28bffca4a6cMD5=C465646468F5C50C3C52A319633507CF,SHA256=2BB0B14075F6156DB07A7B41C827136C4C93A24281B4E76AE0915EAD7D9DC8FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.249{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5708fa1c112627bbe67c23931df75f91b1fd719dMD5=6ADA4817740F69E3FBC835610860FEF2,SHA256=E4D5FD32D34083FD9509F078F59F32C505B218B486A7FA5368F45227E7EA9F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\5672a381a3152605a66ea805f66aa430399147f1MD5=00A9676E8B26674B7490EED841CD289C,SHA256=A756C870C1ED27ABAEF6BB9ED114E3088683A3A225E44FF215E7E6406561B883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\52200bd6255f4af1e3896588397fb1ee5e5895bdMD5=FDE7E753F2AE25D2CD0DA58F4F27A4E0,SHA256=200311C8D4CA47C6CFFEBABF0395D1B984ACE290FAEA576B9CAE74228702A235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\46737f8846e9962af8e442125a1b063b0c7d0a45MD5=D90B2DD2A74AC93D65EC007DC51489D6,SHA256=C5F682632C909B0D2D77DDBE9B23192BA269AF465DCA84BACDD6974BC359E2CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\44e2895c8f7988ae92e384f6da9b553c89bd04fcMD5=5A34CCCD0A9C7D83DA8C5439DAD84613,SHA256=DC5E5938720B5DEF3C89B7A7D0BE7E82F116209DA83E05FB1B40A62707A488AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\442afc347b2951074a833f8a240f554ca55da18dMD5=25D02D996CDB19088D1AB768D61FB7B1,SHA256=6208EAECCB7DE410D4120AA3D69FBB507CBE149A7C279D1AF5FADDBD4F52B1C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\43c0189d5f097f178cbcbb5b503e0fc227889787MD5=35F3F6651E95DE9A579C3966A82381A9,SHA256=79F27986C9FB6AF38BABDD6C5CCB6EC707BD8D8F6C0B3FC7CB933E076F29412F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\4288406d086b5ff89ab74343097ee23daab50e81MD5=694D586F562A4ADBB462EE0BF15536E2,SHA256=5BE0BCDD71055E99760380626E258F640B75895F84EA900EA43DA64F5CB7E1FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\420696514742b00ce643ac0627e024a08b2d4b5bMD5=F75F6BB489E0E8F19A5B09805AA1D165,SHA256=381A2AA32179E746D28B3FF01AA85DD0B13D738966A58DEFC2EF2298280871FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\40da001aabac869a9ab983adc2b6f2c9adb2cf13MD5=0478490CE4181B4EE5A4CBC0B00DFF4F,SHA256=8F8F318C5A80604F7CCE4823C25816DCDF6886EE096A76B8E56B06FC18E1FEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\40d5f02d1b14bf7ec2d3dc33a27e78b7be38ebd0MD5=D629F8B168C440229345B08F9A3FBD65,SHA256=FA59CC550E17D516BC8D27C8AACC42EF1CD8A0BE7B4815524BF30100E535AF86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\3c2e3c27f31f7b84086701701d6104a78cb1f40fMD5=8CF84307FD6F962064CCB2DCA01A3FD7,SHA256=C45AB8E1897C696A757BBC01A3A75E6B75109E278697C32CAD34B77C5DF110AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\3b945fd63d3ce77c2eca0f145c79a8db9659f5dbMD5=086C6DF815BFBE630E3CA5DF0969276D,SHA256=9E8F22FD6BAF2DF68883D939D5453A92B48DD491DFC4AF9923D456B668FD941B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\39adefcc6f6eda8e0d12e940fa38d6d9b7b9db5bMD5=F5A645D48E960DB62AD365033D23F280,SHA256=4319ADF95F6F2CA13E275E2A638C9CD159414F1696A505CBBEE3CBEA59E823F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.233{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\38f87481cd1b665129e44907f88db058653b754eMD5=2109F385224C2712F2D5D33D37FE1C63,SHA256=1B59D11DA13C84783962C2BF421EF2C95AAF5EAF661CA5026E6E1F66A08CB97C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\375576f88820ccdb6dd0b715ad9079d2109ed7b3MD5=779BB6257A4AF85DA1E8C14D06533643,SHA256=994B29C26CA4E02D5F2F2AE1D496AF08688CBF8D54FE1577A3D9F891475E40BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\372a27209e25e56aa9b1c39549c20c069aac159cMD5=0D299983762701732E2BAA06560A621F,SHA256=BE7BB576AD25B460944B069FD8AEA19E746287CD6C096ABCBC0D019C54E7727C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\35cc8200c5ff48ee7441ba4242e27191d4039b62MD5=CC9DAA91D4BBCA1876E2838C474F98FE,SHA256=C7F430BCD47F4B5F1274F3939F3698EE2BED687DA639FD2AFC18B230A978D76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\33b95326092868870eb51cca294f410bfc13542eMD5=E75875B6DD79AC581364342FE4D25017,SHA256=615ABD99C02DD820EE74A47715B297E5CC7D12771EE8002DA96301DBF553B6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\32857cd3d44178ce0eda6ea3db30c1da0292abbdMD5=49B4DE6AE800D43D1EDDF185366F12C2,SHA256=94D16DE9D9615A07FE9418A794FBC27A7A3D18125D66F74FF07C8271D452ACD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\3150c8426c7e4d3139591b2bd3ac08cc591d743dMD5=4421DB08DF5263C53DD3974A4391065D,SHA256=59214CC0DB76CF47B5596E5F0415B4C103DD4381F2E9FEEA7DFF826F01F0D901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\30fe35d9957aa4e654c9f6c0152a2c909e83ceefMD5=537DE496124F90221434E9088BD1B57C,SHA256=376AC4BF0264CE37E7FDB473F3867CC614198CEB44B3750B0529A1315B3CBAAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\30fb69c2bfd41813e6df6d45ef7eda104f569b5eMD5=4489C62B42C97768C1DE274C2DA33687,SHA256=D12FD30D15D055C8436903C26EDDD996746CF1ADB9E5FF2DDC2D5E031D7FB704,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2f32891481e9ffe8c22f703e6a6d6e5672112ff6MD5=CD4060565FA56C2469D192E3D547F1D5,SHA256=4F859F7D7DAD95454A08AA326A2EEF78D89B6DC460AAE6DE1F65F5AA5C4CCB5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2e09eac1cc073ba2c64dfb950d82d05af955fb69MD5=3D8FECEEC7F950D68860F425CA322DA5,SHA256=03EF2E7D6E8BDA62E0AA860BFA7739A9BB0074CDCA0A859B3B26BCA68660CDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2d6d0a9d01a5c835abc5512f6762fad56c649c9dMD5=10B09C2D5966C7312E8C3C1491774925,SHA256=FD3BD094F46AB4E442731CAD26FADC98FDEE74343E51CEF5CEF5481B64B1E462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2b430ba6656a58195c1305a62caf1e4fcb9ecf8aMD5=E8694AF76EB7B0DFB8113827274C66A3,SHA256=A72708FE95E9E44E64B8CD001EC7F7A3F4B06DE127EBA37DE4A601C53550486D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2a89c5a7a0b9832f654919a055f16146efe96206MD5=75536EA47EABB8EBC15A3581019E4074,SHA256=4562CE3C89CB77FD12485C86A6D4504882A184D2C2B01B69B6E792A2B2A6D54D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\28c732741dbe09d18c23373087caddabf3f05b08MD5=ACEEB3266BC75747D8819D43612DF54C,SHA256=8EAFFC9840C043ED2557546C12FCADA696E26ED8C74382F92DE0B0BD3D68903E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\28a481de142c61e1e52ef5b0cc99448f11002faaMD5=8634DAF4B0707DC1FFDB7C301D6FB87C,SHA256=F1F71BE88ED67EE03B52A74901B0B5E8940A4452AEA05193472DB16F41BBB1CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\288d2d04715cc9ff734a6b641816d421f68c4a34MD5=DF0D0865F6D19AAB3651141E401D6D6C,SHA256=3EF693167226D48B75E71A2BCB3CF50A5EB073DEE2D8412A626D7A41FBFFCE50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.217{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2698c7a05b6fa53b9e36c53ef049706ace7491fcMD5=10DB75A6C2471D5FC2F2CFB7BA578D27,SHA256=B75A8857CC3D2FB0EE0C237410F73EA1BDDB4638FE877A84DB0CC9F3316D0A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.216{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\267c201576424288ceab200e08d113e796b24180MD5=BBA346E1FCC254BB67CAE213B120FD4E,SHA256=CD7FBFD2894539B38313DC307C06375C779A0C6199C3E6AB6FACFB0816B2F5E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.215{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2661b369b70b72453bb61c55aa7d643ec81bb89dMD5=5FDEB9E9A4F9677B0C87290893D7AF50,SHA256=625D50D263E8D784032C5C64EDC589C36673F386962AB2B8516C9B8E2B4E36E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\25bd5db7bab7cc9295361160fedf5f5dcf1b22b6MD5=C1DCFB1DC4A2AD0F06A9D3B21CE4D12D,SHA256=BDB3DEF2EF865EEB540CC7763ACDE8F8DCF7CCFBADD6779A10D916E52EA29A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\2590dc00b4474debe18669ca92c0d67f6442ed16MD5=1F3AD764E172278938602AE089568879,SHA256=DBA12F95C077014604FA9BCAEFAF9AFE737A1EA7E520605CAADD2A79F4EF8A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\22ecad2f36d3c2353d9fcf7c17d53df10cca0ba2MD5=92733C7C0BE82F2E108BF10148A82B6C,SHA256=98124A64798000658AC33A22AB06B2CB3F86668BFBC0A6DF532654A029911687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.212{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\205c3a393e61a348ee033387b998471a4164c4ceMD5=338C7CC65EAF1652E3500531ED332EB0,SHA256=ADEF845E98A77288DF693E137E7516663A8DE37908FB938F4669F2B89161C77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.211{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\200f4feb15e044b3e9b9054d169d098fc54bff98MD5=632919AD49BAA01DA39FFEA3ED9EF652,SHA256=C0BC39916651BAE5A3ACCB2F5F07E36B378ED976D1AE2F67F6105243140FDA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\1af88c3335028750a6078fc237d5d2071460ade0MD5=AC4011418C0653282F91279B764733F7,SHA256=BDE986797CEAFB08646C5CAAE899E89CB3B0FB504294915C63F2FC8344A0AA17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\1619c200f0826827bdecd369985c5efc57c1b8c8MD5=4486EE975470912FC0714B0B100C033E,SHA256=A8742EDCAACC12777184A391BB9C43AC515B50C4C33AC3DCC7BCA690403A82BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\133563d532c64e613175ec24cf42c35a8cc530faMD5=31BC3C37F3BE82635CB07653AB9EB4C4,SHA256=3B7095F5C210D24576C1328009E66A2B4EE046839D64B3283152FC4185C064AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\11befbd5f637c102c92e4ea18da924cba10ba25bMD5=11F8F37E32153812A4C808890067CF40,SHA256=9C65653D38FAC33B7DB56418601C7AEEEBA161B81830041ABF80B973B83C96A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\10dec7d4a7581e6014708fd0a4b9ba7f05630f99MD5=3F044CF6DFCE4658C39C7BAEFEE162D1,SHA256=BC90A561A34F2E1A45AF7D2B4FAD03DC3B119AB4FEBEA019A44EBF23888087C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\0f3cf7b26d6522e9766797619d2cc51eb5224e58MD5=75DE1940F32E2D8FE29B7F255E5688C2,SHA256=2A4AD755FA1A5ADB8661EDE47D74D1757EB2DA3E5E2C570E7E2581A73191938E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\0eac80878b6ce8ecd3b0bfcf09f41fc2eae5bcffMD5=A6849E8B4608A651D37F9B68B70C40D3,SHA256=B30641555DAC58DCCA56A5FA5575659C46FF17C4DB09CB83069CD713BA6F4F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\0d03641f205236952159ed57c54cfe6ba860dfa0MD5=1278B7075F9F8C529074193731FFA3D9,SHA256=EF0AA5302DC709558B7C777066A8F8BCC6F490E60863810C52418396D52079A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\0b225d437c8b7e1667d2f4a426a6ac4ad07268ccMD5=0E348CAB19207126686963400E6C0DDC,SHA256=1C674054659DBF0C620126A38F2A32DC1D2B72E5BEE57A59F76D9AC879F5CDAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\0969fdf27cde7739accbcc5765f079e82ca5aafdMD5=80681ABCA0498F8F62E43E669CF8EEE2,SHA256=B148D05D3F4491696ECCBFEA68087448CEC35F3263D54F7857F6F6E65C2165DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\00c4ba9be766c3a81dbc28e67b484a5d2ea94c4fMD5=7BD052ABFFFC2D78D98870A9C0AC7407,SHA256=466B5B1DDD094E742C1B1FA8BD62864FD5154FC99EA66036FD2258EB5A870874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\RtSigs\Data\002ec605bbeca34e10dfa84c8d3476f87471d50bMD5=8ADA5E28300929E41AB5153A8ADE115D,SHA256=DB8E9D5A88EF804971913E282DF119C4977247DEE3A06D25265A56B3A87C5D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\0000000000000000.idxMD5=F82B72AE1DB77A29FB671CCA4203D7A3,SHA256=748BAEB096427BDE03650418C43AAD344A26A84E5ABE26D0BFBC094337C2CD28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\4\13\1D6EE38A7E58E49D.datMD5=B65DC451F2CFD073ED95A1360688F04C,SHA256=8DA345B3FF16AF02CFF7181E3FFA2E45ED2B4071283D6832FDA85D39AEA655D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\3\0000000000000000.idxMD5=AD444373A4BEA187144A0A9B1BA5367D,SHA256=5564812C4C399F131D702BE537B7B7C3FBF9BB584B3C3D06AA9D7E34EBCD0E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\3\81\737457778730B8D9.datMD5=0147DE1BA029C385AF43617CDF2B25F9,SHA256=A3966AB89FDF5AABC319B48CA05FD4960D030FC14CEB6805B4AA940A132909D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\3\34\41D5E8D387F41E9A.datMD5=F73F9964825CAF4722724CF45693F708,SHA256=12D85654F126CB903E8233E30849C0EA0F6C5033ECBEFB4FB13557ABB33609ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.180{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\2\0000000000000000.idxMD5=EBC70C6C6BF9DAFD60645AC4E2B4A64F,SHA256=E2B6A60152645647E687618AAB517E9BB3F802AFE77BDDD7BAF4387DA733C7A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MetaStore\1\0000000000000000.idxMD5=C113D2D2A58CC4B817D616EE021427EF,SHA256=88C466805540295E2DE2650758585052A2D635D049CA8D9741867E094C8C5D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\FE076837D01BBD02F9657ED54AF9A29AMD5=44EE089BF4B64EB888180A6641A33F81,SHA256=FE386A88465C22F660A4C8FC935BB78A90B9D07992A4B3D39C844282F2C19732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:50.064{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\History\Store\F8DB193E4C44CED91E5A09438FB23828MD5=DA2A381ED3F796D7A21D4A0ACEA93BA5,SHA256=FCBC9C2AAF9C60E02ACEF85A2D836CF3CE91EFAEDE643392C5C44B9C6A3F9179,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:49.868{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:51.485{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640AF70C1F2073B4C7CE28F9D20E5E8B,SHA256=346A6DAECDD4ECD9C00F2F6D62B8A5EE508C7DA800077AB60F61B4C005AE684D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035488Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:51.394{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978F86E54DB393B70287BF50576B0E78,SHA256=AB186B586463ECDB85AE4FA020E1F1581BBBA80E7E9B2DB142D785AE5CB9A1CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:51.469{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.67MD5=DF09A67954EAC36DF5D3800A60A4A2B0,SHA256=023E8FE218A118DA03DA891FE6C698AD74F7C86E86DEBAB64DF1F15E4952CD19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035490Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:52.410{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6211AF9FC2EC7760D2040B3E266C17,SHA256=9C1670C48A3C68D1E7E487D9DB46FF567B969C9B628C8E418439C53862FFD9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:52.486{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09FF873E3F3561B6656C13432B7D11E1,SHA256=C6BF4B08BBEBD94FA1C2FDF875587AF2B68BAD1666F43B714F10C3C85CD33F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:52.433{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.6CMD5=18D4676F475EB983DD32932E4F36F9CA,SHA256=15DF9D7686CDA7C78165842CF3D00B28CD9D3CDBB086774E498141FC7BA7E2AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035489Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:52.316{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035491Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:53.426{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A3E1C4BC986FF2D4C17C2E1CFEC6AF,SHA256=2AAA31A3BB598103F5F09F9CDC56E7F20BAD69B34F30D32FD75D67FE495FAD65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:53.487{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D6E40CC290AFB24628C6C910749913,SHA256=6E6D0C3FFB8DFBE3220DD60AD4EE68CFC72E46E395111C5FD6C4B3F0BA3B3357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035494Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:54.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE4C34609D986D2DD18BBBFD4113398,SHA256=B9F6FEDE00A0EEC93DEC94980368018A63B348C480EEDB8C238F64559C2340D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:54.502{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=982FDC910611392C1F6BF2BA5C52C80E,SHA256=D4698ABB3BA6F7AF79FDD695D54B3FA63EC34DB013B49A5BEFD2AC932CA385BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035493Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:51.371{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50989-false10.0.1.12-8089- 354300x800000000000000035492Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:51.262{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50988-false10.0.1.12-8000- 23542300x800000000000000061599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:55.519{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50BEEE92549DF5E10EFD132DD1A8A51,SHA256=A857135B209331271F8E3322D4ED2F12CE36DDE44E614DC7E3FE73B6D8FC1E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035495Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:55.457{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22061A366800AB850B31F375E500CDD7,SHA256=0F6AEB28D090AADD1B6AC96094D19A9451FA9EC22E3863171D54D409ABA9FC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:56.552{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1DF0CD150DA17BE93404DB9BD3ED6A6,SHA256=277E029AEF0EC95A8422A3C08345EF50BE2F78938B0665B57BBEE98CB86E7C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035496Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:56.488{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E83096431E65B890D8D90F7F125705,SHA256=26FA23F638DAD5B3FCF80CD0F22A23EAFF131E75D4B242C49244A892F39E6A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:55.772{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:57.571{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B977DB42C2ADA9369C363814AFE06CC0,SHA256=474F0E9673F33A8DA9A09FD1F2013EF3108ED3811E7A0D50F39E7E7E09552C38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035497Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:57.488{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2850B45B657BBA36DDEC20794E4DE7,SHA256=9D8CA54EC1C4316525BED79B282626AB7ED30B40F36124E2EBAF61F8B0A43A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035498Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:58.535{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0D7F8BCCF693E6F7204DA3031C48B8,SHA256=F1CCEC3082AC08A2023EE12F11650AEF5EF80DFE735E02BDDB5F0A5A1F9E8449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:58.591{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D5DB94C077AA204F4804D8F5553F64,SHA256=3055C9BF74C3392EA187158718A421E336FB6CD43E00FE1238B08C36D8B79697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:58.391{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=1782C02E43347AD499D39D60335A8F4A,SHA256=C640CDF606FFC8418FED905D0D4CD3A4BF1A3F1309EA9CE2F0272046F4517B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.915{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.87MD5=B080A87A8BE626CF5D1F0239F6F2F8A5,SHA256=84DBF2F53575193F3143BD2E7EADB43A0F92F5C149BD409C2671929470327560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.893{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.83MD5=8437F1DDA17BD5656E2C7B3CB08C2419,SHA256=E7616D6DE2933437FF7E1BF89D1A249CAB4850239D94D942E0A64AB7284D6803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.80MD5=139ACA9B1190B6CBF0A89E3A0456CEF2,SHA256=4FE4F6F274B8C3BFB4C6E8586AD80BE6ABBA7AC11DD01AC73E7D98EF975A7A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.731{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.7EMD5=5A323FBFD2D7604CF93AEF7538DAB3EA,SHA256=316C919B3E6D58E8E10F12D1415B3ABE588F9409247D39E5F89A0680806A9AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.593{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33D6870848B56E1ED31275125400E158,SHA256=E921BA6A8910A52B3B23366366C955F6F3F71D4867D2C56126795C6E381F931E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035500Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:56.262{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50990-false10.0.1.12-8000- 23542300x800000000000000035499Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:01:59.551{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFEF12B4F92BF4A1AE6D3DC31AA6908,SHA256=6552529A9B053CCB78706AC62E858F1B814292CD179F0992C5282BB775C69F6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.546{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.7CMD5=6DE08DFC5FC4D0E6C2952D0FA2434A84,SHA256=E6D1E85F9DDCA80D5962063580B42F251E7E6041406CA61C01E1F4ADE41189D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:01:59.395{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.79MD5=2EA23523FF5AF32BBCA9930351DCC6D1,SHA256=C9137609E080129CB879281335894973A504B867131CA9ED909E418C85AFDC0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.892{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDeviceControl-20210811-053803.logMD5=8ED2EDFC16F4B8E8D0A1249F8DFC8EE2,SHA256=D366BCF11F6B6DFD80F519A28D366A7FD1265540EB11CEB9F7325E57825D7B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.892{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20220115-070943.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20211215-030539.logMD5=391F533B01AEDD6F9D8A59A1B3E26B39,SHA256=68847BDB1672DD16AF62E8F70820AECEC0F976D5E67A32A17048895025FCA83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20211110-031318.logMD5=36CAF5F41B1D58CC271D4326BF72F720,SHA256=2341DFA2D2ECCF7D54D1AB663030F7F3EA68D744135C41375FD5B922F6B32E87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210915-030314.logMD5=055232D2441C9F778A3C1AA0AB6F4272,SHA256=7C11DA49632BFDB7B79F29C63F436415269EF962FE1744B89FCEA68243891B13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210714-025705.logMD5=98521A91404558ACBDAF5D6D2CF4AA3B,SHA256=2E4F67BA3BAECD53705BC8141F59AC95718BCB316BF70265FDA064B729612E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210609-032955.logMD5=C15E2B96BA4050A2AB02808714FDE3F7,SHA256=C8CD54E296722FCB4EA236C8A823543A1F8093162B468848433A78AD53C85512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210414-025347.logMD5=151CFF8B8F5EFB852A3E80452768A961,SHA256=3B3F0609AE34D368C2CAEB78353C1414700BD927B16F0BBA4CA264210E7B0065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210310-175236.logMD5=25AF4408C53B55D34476B5C1C47E8445,SHA256=DB81C26ACAD132301116096FD303F208F4BA92A6A75FA8F6D4882DBE0C36B657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20210113-201324.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20201209-052029.logMD5=CB0AED3B296DF6F1FCAED6DD79DA46DA,SHA256=0A9160944ACFA715C8E6B37DE42E96C1D5FF27A99F2E4DA6A60E4EC37524F7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.877{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20201014-024353.logMD5=5834C1F517D9E0C996ED9B05D829CDD6,SHA256=ACE3F612A89D49B2CFC8CA5EDC2A0E8014525906142C689B0B121EFA5E44C68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200909-033343.logMD5=62639D5743F9B4B93866DD4186F62253,SHA256=FA161DF42AA225C0016798B63F24A89288CA6607540E3A2DF4DE513ED85F8DF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200715-053446.logMD5=3F02C72BE330A0B2ED7A1CCAFC0708AD,SHA256=631A9A55461CE459743471EB0A6E143C59ADF8B61ABD199BE16E7EE202C56321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200610-052915.logMD5=ADDB568CC54D7BEFD654EF9B39497686,SHA256=7CE87A8D22B3F8780EF34F97E9DB35C847E4ACEDA4424F8B9D2BD026A2ED960E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200415-052855.logMD5=039CD61B7D4B5169232BE65A742A6AC5,SHA256=BC4CEA100C52DA215D12F360874A75D532AA720BD7AA04966EE0DB7D59033F44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200311-053305.logMD5=97242E690FD48F9FF746B8D9552029CC,SHA256=68F9F7A54402C662FAADD350C7584E19E95045A6C00DDF474C3A67D88D24C021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20200115-053116.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.861{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20191214-164545.logMD5=8799E93AC1C0397B19503E74B2FBA180,SHA256=A04B823B0D79FAF2B1D962A0FF96442C0AC2E8A63245F4E1F034979D4269D7C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20191113-052824.logMD5=B933CFD9301937DEF6CA51A51AA2ECBA,SHA256=4536C8E0D86B1DEB12D0651534BF8E61D82BC98E47B76EF868F4FECAFD8026DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20191009-052626.logMD5=73185957DE2C515BCCD3D539DB3306A0,SHA256=BF5B52767D69F964F38D9FD25D6460B242F6C4578EABF7E4F1283B1938FC7283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190906-052800.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190612-052748.logMD5=4246B578DAB78947E4BC51F0D2F2C4DD,SHA256=29BE841CA3016669D5E46DF8CDD30A5D716968A95F1B2D5D23AD2292774D2BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190421-053209.logMD5=3D27CD6B8107F25C69DFDB3A040BE558,SHA256=D5F299AB81196FA0A8E9813C65E0828FD915759964A7927C383085A29E34BA2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190213-053313.logMD5=C94684004815E880D6CACBF1F6B92456,SHA256=ACFB759AA554E8BE8630E24DA08F4B8381A6C9B443A205BF66FEAA5ACD9DB802,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20190109-222025.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20181119-024200.logMD5=82A379B1EF8C92EBE70003B2D005127F,SHA256=25ED9A31BCD22AEE47CC632C08A74B358BE3509AFD66BB3222E7AF9E64466B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20180916-181813.logMD5=B732A95E7B9EAF23258820C0828C5E97,SHA256=F129E04938E65559B03A288ED9FCA21F6E7980BB5FA3918AF7E387E023ECB200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20180814-230709.logMD5=14AC54B4CCD5E33E3CEFDDC57C4BD4BF,SHA256=049BBA498BFD33AB4227D51C21E1BD7E81817A6B6FA642827321F9A32FC35687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-20180613-051431.logMD5=0AC26BD2E3B4C21D35B2F8C35953751D,SHA256=7C5C03C66252998626DAB8D4E2E03BD04AFD863B2706941ABE00ABE9397AD4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-11242016-000541.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-11172017-193005.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-10182016-015358.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-09132017-104812.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-09122016-043403.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-08092017-062047.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-06152017-165644.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-05112017-235041.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-04112018-184436.logMD5=839FC3739E8C209081C7A07C4D244641,SHA256=0FC17AB7C80F1600D10D9A981DC88AF97B989E20F04E414AADBBEC0057A15F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-03162017-185340.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.830{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-02232018-102541.logMD5=9DF4BCD1D576BCC015026BB4E7DC7157,SHA256=0BFBCA53413C1DADDC3A725BE7D698587B6F0121C0984822722DA44B04D6824B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.814{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-01112017-210158.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.814{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPDetection-01052018-231907.logMD5=F3B25701FE362EC84616A93A45CE9998,SHA256=B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.814{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.dbMD5=09CB3DEB2A61A90A9B128CE83062C1A7,SHA256=FC38D77D5607A79AE81FA88BEAB6FFF15951CCDF56C3F4BCC2C4A809365DEDE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.812{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\MpDiag.binMD5=F4B9A3D2C698502DBD9D20C93D4E4C57,SHA256=E8F309A1929C1DAB3D46E50F663301C6B8D7FC6FFC0F98EB76497DB4897AAA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.812{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-7451E71CA2310750E3D8C08DDAC30512E2666826.bin.A0MD5=AE2A288FFCA509F3A821A98F21A08850,SHA256=2DEB88A92316FF22A05BE6038B87D7DEE4B77B0E34EC2D7C281AA50AF5F67D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.612{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B6228BE31317BA8350479807D19B88,SHA256=37EA9910FD8AD4F85D44C9BDE38C9428C0629E18EF23DF1F9A6749C6F60E20FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035501Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:00.598{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA5714A7F68580599BFBD55EC4FFF06,SHA256=D15A000F09834429785515239079E7042ECA12B455808D4947AFF5AB43D4D267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-102542-00000003-ffffffff.binMD5=4376DA5BFB397F80EB38292CC8ED064D,SHA256=95257B6A3733BEFEEA2124355FDC89F149C4EFEDBB1331F36BE1AE017460F256,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01132018-033024-00000003-ffffffff.binMD5=7B53663017A06C2C892D984B48922F1A,SHA256=70D75327BA2134B5DF75E78B0477B7C8C75628C478DE2B694E0AE8629D1854B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01132018-025643-00000003-ffffffff.binMD5=367CC533B6EFF0379089E6A0F3709CCB,SHA256=68F3799A0B6954861BF77597C3E47337528D943111E8FE7F155951DB3B0D36EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01132018-025529-00000003-ffffffff.binMD5=52C01DAB5DAF7A92A149D4238B2A3C4E,SHA256=71EC6B1E41C3B7F26421471C6B4A317188E204FBA70069EB1A00427758A23DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01112017-214946-00000003-ffffffff.binMD5=0985B41B6C6EDEEDE3138057E55D6BBC,SHA256=F06CCD4172863301B5B52299E74880BADF86154FB71A488C37A8DCED9EF302C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.913{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01112017-214736-00000003-ffffffff.binMD5=1A0CD204ADB0A65A0130FB2DC4FDC79C,SHA256=71427DF352488048E6522EB737A5CD5536408B115AA7A2EED428EB7A2D7434F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.913{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01112017-214151-00000003-ffffffff.binMD5=AFC39141C638BF31FDF7052937E51C7B,SHA256=02512916B4D42CD8683F65519F8DC5FA7F5E01B310CA4BA55351DD5FD5D31ABE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.913{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01112017-210622-00000003-ffffffff.binMD5=6FD502F5415257B794206A82E9D9A623,SHA256=2ED1BF5C2ECD40E8259B547F68B203AE0C450C13EBA847B5111EF7D515E51228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.913{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01112017-210158-00000003-ffffffff.binMD5=C92DBDF932AC75310C1F955AA8520AE6,SHA256=54F6C3F580A2DFD29A3122057973FB761DAA7ED994B8CF6BD7B95B312DF7F269,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.897{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01062018-001647-00000003-ffffffff.binMD5=89FF4C6A752E2C289253984B958434A3,SHA256=FFA032D4E54AC3BF364BEAEEC997F3758C4548CD66A0B16F0A45F886CB8CDB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01062018-000825-00000003-ffffffff.binMD5=60FA0CD63BC061DDDF1D7B3DD837CDD3,SHA256=798505AFAD9276E4D276BBDF992F602581FA1D88C2F5D1FFB42F707C285E2FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.865{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01052018-232024-00000003-ffffffff.binMD5=7425B116E5427CECB6607DE3841DDE04,SHA256=9DCA27B5A9B160B2960167CF1E34D48CB2C0F3E1CDFB631A6AE069F185E11ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.856{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED9297550EDE6368FCAA1705781D258,SHA256=1F437B5CABFBB814D79D7309F91CD02AAB1AB90F813CA4D7522E7DC4DE0D24FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.851{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-01052018-231907-00000003-ffffffff.binMD5=4B15DC97974694DF57A5CEB301AA522F,SHA256=485CF59C0C006B1CB267430FBC6344C24F1CC823FED24F2F56296264002778FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.849{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MPLog-09122016-043403.logMD5=CFE0F34C5DBF15DC52304E9AA81E84EF,SHA256=C2AC5AA6FD59D36CB1B1D2E0500FFFE9C6389726D4500DA48D4ED8809FEE5B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035502Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:01.629{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97BA676250BCEBE87C7E691D42C5EAEB,SHA256=82959FE760D57B81F22BD7E81994C547B31FB2DF27706E86CF3808E5E5BC737C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11242016-000542-00000003-ffffffff.binMD5=399C5EA4744F7092704271A821DB47A8,SHA256=56A1C3A7AA10157EBCD4AED15A6F95A171D36C10127A20B51AF4CDDA521B0CC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-220559-00000003-ffffffff.binMD5=CB89567BB8B1122D144C847C97E798A0,SHA256=545E1ACD4B2E826440B56F1DE75246A13F0E93B006BB75DEBEB9C3255B3CFBFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.982{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CED5E48D33544FCC9F5791AB27D64E,SHA256=5FA27844E2D87E7396E461D530B743B59619C2EEDD0E6EEA943B13BA2EEE4603,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.964{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-210537-00000003-ffffffff.binMD5=385B1790E3DC7CDE96F1F79583E71629,SHA256=3B9722E7EB32B3B288328B42BAE68A614EF8B708D3ABDB49A5EBF1ABB31F6F9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-205951-00000003-ffffffff.binMD5=1F0805E8E414C0C4837AC54C737CBF6B,SHA256=A2CABB0DA1C597741EEC527E29C3C07489A6C53BC22E6C3CE6F4C77584D25FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-194329-00000003-ffffffff.binMD5=4D7D453CA03D6F12686879CB3C4BC3EB,SHA256=1D08CA503525B3DB99B351F7182D56518F2C5D61F5B00FB25F8394BE0740218F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.900{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-194113-00000003-ffffffff.binMD5=8E436D022CC7910142AF3E02D532E2F2,SHA256=EE6DA9A52C9F41F1BFCB21A39ACC71C6369644CDC14EA8BA7171471C6A469386,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.900{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-193826-00000003-ffffffff.binMD5=2BF0448E53384C62F3D0CF04C1694EA3,SHA256=521E20F42830F8D357C981ABB33ED2E66DA7ACA0C938A34F727601AEAD33D936,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.900{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-193110-00000003-ffffffff.binMD5=6C69057AA474B3B121F2FF771A9B8816,SHA256=420AB10777F44022CB3FD32C31711DD3E4FF253C20B6A121B66F4610D5F6F906,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.882{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11172017-193005-00000003-ffffffff.binMD5=DBC63B52AD9563CE82E2645AB16CD38B,SHA256=CA9F6EE87B02983BA6E0771A33482796B0BC27E4EC3BF40045C9B3AA10AE2ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.882{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11152016-090148-00000003-ffffffff.binMD5=5700E912A58719EB5910C13E43FC08C3,SHA256=9600F969853FC06746EB6E856C9B34E9BC77B95BFA6B784DB06CD6D26F8CB46B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.882{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11152016-081805-00000003-ffffffff.binMD5=0AA4663096E4C8BB35140243EDD81935,SHA256=1C6224A6EB0D0516829EF6191CE18881155A203F08503097A3A2A19536E37931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035503Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:02.707{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084A9D13D6F55265778A5501F1F7A8DD,SHA256=A43D49F880C23EAD4EAE6A2C2EC4E6839396469E154C439546ECB72255043260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11152016-081414-00000003-ffffffff.binMD5=273947303DC26B9B1D6A572DF65766E0,SHA256=9F228B63CA43D78BA7347B49579342A316E947738D52D15715E7F067B22C82B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.845{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10182016-183200-00000003-ffffffff.binMD5=C3196244842A336BE78F2073A233B768,SHA256=4E771DCC186D932710F640EF84A008D03DF938788A9537A4C2960B507AA06565,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:00.943{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.682{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10182016-182715-00000003-ffffffff.binMD5=D4ED956C7DC6A0B096E279BEF4CD70CD,SHA256=A775D30C37ECDEF2C8BAA6749A5627EE9A41AA8EE5F99A592DFC7B66F475C1F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.682{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10182016-024432-00000003-ffffffff.binMD5=6B6D1305510A7AEFAA88EF4421272F88,SHA256=CD42B30FC06D1B598AAF8EC04CBD95DB7FD33C323E374400C1095E2154DBDA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.682{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10182016-015944-00000003-ffffffff.binMD5=0937F3CEDAD31FC9747780DEE6C85E5E,SHA256=ED28207E9041BE4818EF19BF735A3156D0B41519C76496A3F5111ECE947D4C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.666{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10182016-015400-00000003-ffffffff.binMD5=1C1028251C5314809F38492E820712B4,SHA256=2F8278C1C2BB6036559CFBE89537C745C26438A9351CDFF31779A6505C1A3660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.644{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10122017-070831-00000003-ffffffff.binMD5=D249811490C007168C71BF3BD9B6B470,SHA256=049D3C2E1892ACEEBAACEBF2B71F6898A66EECE44F2C82EE7A5FB38A723E8359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10122017-070527-00000003-ffffffff.binMD5=32EF1389DA0735714C2D380BC27DBF52,SHA256=22FDC84C3CC70B5F5B2F3542F9F009F84B79A9259063BB4A7C73DB45C7906347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10122017-050730-00000003-ffffffff.binMD5=63A98CD81F76A23E1EE129D74D12EA9C,SHA256=2EE804075E1BEA70872D9942682AA2607DE67126985ECA638C1FBF10C8AD70C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10122017-045946-00000003-ffffffff.binMD5=4BE78E4BB33F46BA83D904AA4540BCAB,SHA256=5F432C29A3184BC487EC2C70BD051DBF5372D28C8C97328BB3B7C76F7B57FF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-10122017-045841-00000003-ffffffff.binMD5=D3BC73F3E6C92F60887AD050F0BBF7EC,SHA256=EA68956F4A552E92B835696FE6359EC644DB8EC7FE3F6C05C829C1907F9E47FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09132017-121629-00000003-ffffffff.binMD5=E3ADB3337EF224AB79FD3D61F34EF6E4,SHA256=6E9AEC60A86C3169E5B217AC2161C51F7F515D843B80857BAA518A231A18D5C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.564{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09132017-105826-00000003-ffffffff.binMD5=709CC0DB1A24CB8B61470A1F019F0C11,SHA256=191D4B2FB1241A12720109D31AE16874A35BDE457A7A17616231DD984F2225A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09132017-104919-00000003-ffffffff.binMD5=9BDF9FA8EE16952C93119DF0CC9A36E9,SHA256=D7DE214FA13927BAF2F02847EEFEBF0A34B68941DAF3787074EB1E278E703F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09132017-104813-00000003-ffffffff.binMD5=9A059A2E09DB28CFA4DC77E3E69441D5,SHA256=37942AD1C4ADAA920DA3E941B131DEB2A098DE72AFEE6D70C734E33888522B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09122016-043636-00000003-ffffffff.binMD5=0B6AF9F8FDE7E6F50D69417E3AEE4613,SHA256=66C7343175ECF99B4409E062F88FB75E9DFDA60F7C33EBD63D45127486391C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09122016-043540-00000003-ffffffff.binMD5=09BEA0011CC99409283395DF3CBD091F,SHA256=18243257D4597AF9759646C621B4EC1141F03DF759772DC94F1D87AACAEB594A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09122016-043451-00000003-ffffffff.binMD5=9915ED531178A1D4A8FB5D78E7E54C5D,SHA256=FB6B5E8D21F2F188C37ADB88ED7A8821DB2F5343F9A3D968A05562A0A27DAB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.528{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-09122016-043403-00000003-ffffffff.binMD5=8977979A009BCFC9C8A9CB7A7F02342D,SHA256=DA63C751AEACB319AB5AB4E2EFA4B3D6614DE6861E29538E7D12C7A35075FD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.528{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-08092017-090032-00000003-ffffffff.binMD5=93B5E2D98A497CCC97BFA7FEAA8BB845,SHA256=8240BAE4465F4C2D3E83BB2AB3242EA1C0659BCB0A3D2AEF4F1733F43E99FEF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.528{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-08092017-085510-00000003-ffffffff.binMD5=B08087BD4018F7617585FA0AC04482E7,SHA256=B2A2F3C50865E56426EFD255D439423A56C127E5931293B9053CCA1B71FB3CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-08092017-063106-00000003-ffffffff.binMD5=C14AAC494F40EDE80B83FD250E88EEDF,SHA256=AB9C08A95470D95B18CBBB78E837A80EF128CBC3389841144271E36F7B5EF447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-08092017-062138-00000003-ffffffff.binMD5=E3391CCD1AD7A0499DFCFE5E97D6BE4A,SHA256=93A489EC41DDDE2CBE2F1BC64EF30C274C46160E341A521975A5EF4C1F19CB2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-08092017-062047-00000003-ffffffff.binMD5=B3B3E34FA246A24F44E1CEF6628A72DA,SHA256=781CAF22B665419F1E18B3EBBE012307AA70EE98C14AAC0E8E00442B9F2C0B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-011921-00000003-ffffffff.binMD5=00E368886FC77D4D28C9794628EA052C,SHA256=9E87A03371A056A59FF35A82AFF528780D5132288AF05B69BBA2217D8C783604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-005527-00000003-ffffffff.binMD5=7506FD993F0300F19B925861FB3262E7,SHA256=69C2C36244A6141BAE6DF81D6E88B18DC3D87E2DDC16396E91184D0C4FA41E8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-005013-00000003-ffffffff.binMD5=BDA48DC705F71C263662970CF76F07BC,SHA256=48749014DF5D51AC3A3CB62F0B4AB6148C0D2E9B829D4ED9C43B33907062B90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-004807-00000003-ffffffff.binMD5=0E0FB719DFF28C0C136BDED4F52F41B0,SHA256=71839AB3AFFB8FE862007327DD3E13AC6CE2E4621959C77D473BD0BAAD379A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-003918-00000003-ffffffff.binMD5=7DFF621B5B8A61BE58FD7E5CCC922CB8,SHA256=604D3A6CD6A7CEBBAA8962ED4C358A152DA72FFCB9576EAAD11D3714E37818F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-07132017-003816-00000003-ffffffff.binMD5=284117DC40D8ADDD52B5BCBD9C798025,SHA256=F41ED6B8C40253701AC91041F00BA8FE27EB8952EF832E41CFC4BE105BDF915E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-06152017-174338-00000003-ffffffff.binMD5=6595569A7CF03A28EE66871270531CB2,SHA256=F3E2F6C8EE4476D595284D921B215FAEEFE1A0D50AEFB741F52F77AB145AA81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-06152017-165837-00000003-ffffffff.binMD5=C78EA5488BE4ED3B94029108B91C38F0,SHA256=6832958B5BE5535AC6299E3574E45A5336B0057CAAD801287BB613661ED5DB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.460{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-06152017-165644-00000003-ffffffff.binMD5=0EB5AE7B5500C19F2695A42344E5786F,SHA256=AE71142CBEAF0773DEE6FD52413D9E6FE270E3768562F8BFCB6F0D6D905844B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.444{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-213631-00000003-ffffffff.binMD5=22D545FFD3107B54171B74C23227201C,SHA256=58F9EFCA02AAE2FA3D7EF60138ABFCCFF5C50E040C182ECBCCDD3D4F507BAF8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.444{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-213132-00000003-ffffffff.binMD5=FB11D96A91018ACC4F60DC9594DFCB49,SHA256=2500F22D76E78E3984F333560F9DDE7852D285CBBEFCA25AC65BA83489CAC2A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.444{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-212925-00000003-ffffffff.binMD5=CEBC86D66FC3D883B760820F57B99781,SHA256=A46A7EB5DE3D985E3C5BBB12FB5F82F6150A1DB077E06ECD7A38A82A908201F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.444{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-205447-00000003-ffffffff.binMD5=4AAE3ACA6B66AF06FFADF76645FAC754,SHA256=160F68AB0A0B21BA8A76C0BC29830BF7EE7A7EE4B0A0140CAD1D6C43D31D5975,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.444{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-201910-00000003-ffffffff.binMD5=18B1918958F3DACA822D9E991EE52994,SHA256=C2F181504A2AC243B0B6D1228268CD96E7C6FC4154F51F9C24ADB11DDFE383BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.428{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05192017-201454-00000003-ffffffff.binMD5=33F7BF0ECC775EDD95791EDF065A53A9,SHA256=4E8899908276A670E74A0C6940D67CD77BA794A7051F23BB09BC874F3133E691,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.428{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05122017-011929-00000003-ffffffff.binMD5=880EF9DC7423EFA1DF011B80F2DFE2E0,SHA256=95B666F9C6B95A601DB6298517126D85198B75A27F62424007A1AE7CEDBDF434,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.428{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05122017-011624-00000003-ffffffff.binMD5=BB4A963E2D27DFB2DED62EDA8823ECC1,SHA256=36CFCB2A8AE5DE6BC3F52593235282795CE4B7CFBC8FF3BFC2F906500302E4BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.428{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05112017-235300-00000003-ffffffff.binMD5=F3D49396F6116E730822E9131009E4AD,SHA256=6C150BA569043EA6F5C8655B5E4D76D0096FAB09ACF20E8B5819CD388B6B597B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05112017-235041-00000003-ffffffff.binMD5=511D24287092E41E852C278D47FAF6CC,SHA256=DA913E627B8669DFBE7AD77F4331EEA9839D7187987DC51D4D95F6B9EC589536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-030056-00000003-ffffffff.binMD5=C3D82E5B7A2442C913FF59062BA9C07F,SHA256=C6ECFF6DBD3B200929C8C42EC06A5BDD5B5F790197CB39166C93709782B915B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-013757-00000003-ffffffff.binMD5=56251B3B1A68A21EDBEAB4A7728B489C,SHA256=448B12DD1CD92405EC57CA894BFB054B18B1A361EF4106DCDD5D21BF6912F260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-013446-00000003-ffffffff.binMD5=D63C5C78FA31E4174BF2C0BE1E6908E2,SHA256=12C478FECF25BFB146374E3EF24F21AD1EDC51405C0844B66F1A1D48DFED2BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-013245-00000003-ffffffff.binMD5=15E2FDFC27A3E622268DD497929FB6C9,SHA256=990998693F1C8A0C97C3976D181BB41C094953ECB9C7715E143E28ED8843158F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-012340-00000003-ffffffff.binMD5=E9B89C914632FD55112661FA1EACAEE1,SHA256=1DC85F6E9F3BF5D3888FD33DA64C329972A9A18504826A9D4F340F46CF95CCD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-05092018-012238-00000003-ffffffff.binMD5=C11C0C1181857D0B14393BA2E93F7C67,SHA256=9BCFB89726DAC0BDB33B36B876648A57A5E6C0AD984F9706D84C5EEB1B730597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.313{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-201004-00000003-ffffffff.binMD5=8A604F046D38216365A63E2765053146,SHA256=58A66347E66685AE7BF6D85759D6D4E285278E2FD555027350EF1A2BBAC1A1D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-192339-00000003-ffffffff.binMD5=22A40FE60D43CFF1DAE2593D2FD60FDE,SHA256=5E5140AB657ECDECF915AE568BF071626240A44A07D41131668964D06300E0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.182{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-185917-00000003-ffffffff.binMD5=4B54F34A86B14D4BF82E516187920EE5,SHA256=C1EEC976592D01B3D4E95C10D16B9983E3DCD6C7ADE44C831759F7CA1F15DCA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.182{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-185621-00000003-ffffffff.binMD5=F9AEADFF0E0BB38A2C682B18522D8773,SHA256=C6E0EF3ADD1FF4DD9FCAABC6C67BF8DA2DD8EE2D2CDED8A26E99E17DCB3CC1E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.166{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-185414-00000003-ffffffff.binMD5=C10E163C5EF4471DB4CFA0DE3448E5A0,SHA256=166BA4BDCA0D70E75CBB7F118144BF94396EC7D2AA9E60B9A3D0D3452B59B9BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.166{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-184553-00000003-ffffffff.binMD5=99D29E83223C3EA2E741759071DF74F9,SHA256=D6E6A864FDB8A12A09AE9B640CA7FA9000681DC491BC0E036F92B912232230DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.166{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112018-184436-00000003-ffffffff.binMD5=38F7197DB5DB51111A34D39F82463222,SHA256=9A5EDF4CF0E9908641B2A1E95C8386E2EBE03495D767157FB3F37180B5DC35C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.166{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112017-210348-00000003-ffffffff.binMD5=CF086FBD5A09B744587FE94084B3A282,SHA256=2C2AC17AF39B23666017F26FC0290E6BF27B94C03D31DBCD7C769C58CEB60246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.165{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112017-203535-00000003-ffffffff.binMD5=2E102E965102C215E6A90ABE762CB6B2,SHA256=FB22B7ABACB6FF8BBA1E1A2E6487464672A3F48C2C8A31FEBAC51259610AA876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04112017-203330-00000003-ffffffff.binMD5=5AEFC83EC25F7D4110D45032F4AD6B45,SHA256=41CDED3164343449BE196C69A345B1BF78A707679CE1A92A7142495B5717C02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-022731-00000003-ffffffff.binMD5=2C6076A29C66825B45BDA0E6DFC2CC76,SHA256=A5DEDBC344DD4BE2CA4769F0C2EE4397A6DD5150EA5CAB301272E56710CA3ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-022555-00000003-ffffffff.binMD5=4E88956BDC1A779CE4104FE4ED986B8D,SHA256=719FB2E23107CDBCD695DB012245A4D0AF8E2C911230B7415CEAEDEFD263C9D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-022553-00000003-ffffffff.binMD5=F4F95DF466C2E00FCD4E36CF9E6B20A4,SHA256=69C874B8DF2ABA342D37941F52D70DA94632852E616C999CCF524AE99049F18F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-022359-00000003-ffffffff.binMD5=597FE3DA0539379F3E8679E88B9F8001,SHA256=E05951D99A5A7D9B562517F98E19A116C18002937DC40DE6270CFE9E33231B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.097{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-013953-00000003-ffffffff.binMD5=30DB35360A2E174A02B59790EAD1443A,SHA256=3939EF03766F1161115F130368BA1AA76BBDA31F895FCDE8280C1E6A8B25FAB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.082{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-012953-00000003-ffffffff.binMD5=C91E42F8C53CF985CB13D0E00AED64EE,SHA256=785EA5C9C53BA0ED3DAB4563651CD765BF39DA4BB14558BA09C87266E2039B12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.082{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-012206-00000003-ffffffff.binMD5=E747D558F08E1AD7DA4BC12B551A00D8,SHA256=760AB12ACE292E7557C84B8DF31CCA2430F358693FEC2F314EE46CE70B153115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.082{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03242018-012059-00000003-ffffffff.binMD5=4A3F9EE2787DA367A020AFEED367ED9D,SHA256=A9F5F607B57562C924C85B1BDDBB21B473F2CE04D6D8C7EC1C461211FABC2C31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.082{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03162017-194019-00000003-ffffffff.binMD5=36F96611F9C52BE52416925B6DCE9EBF,SHA256=8F268528609E17D10A98DFC3394A39DCED85A0388AE35BA1FCAABF0B50D9E979,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03162017-185716-00000003-ffffffff.binMD5=EF7AFFC2DBA6E170ABAD86A18C93F8DE,SHA256=CB8B5CA095F115CE7667DCF64F25C79268AEC718ADDDB279C4B510A933C6F19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03162017-185340-00000003-ffffffff.binMD5=7DF4058C7ECA544C99B88A7496DDE270,SHA256=76F588159D036F1DEA5C12635F82B88402AD1171881EDC6D10D9FADB9780D2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.044{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03062018-031206-00000003-ffffffff.binMD5=24C3A79EF0DF9AD59D32DB36325893D2,SHA256=AE09C51FFC3CA1E23BDD62A0EA54E50E2166CD9F5105CA9E5D7DCA1850FF04B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03062018-030818-00000003-ffffffff.binMD5=6E753062DAB043AB0C4C48E7E36959D5,SHA256=FABA8B4C8B504699C293D4EF55DE22C3C323EC1A1BEA413A9F7A91074AD8F43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03062018-030457-00000003-ffffffff.binMD5=472F8CC53BC9B948C554DC9B44A88B7E,SHA256=257EDB1469D12E3F2865BD6696F628D1D43C9ED48014C1D408DB7F7026474B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03062018-025718-00000003-ffffffff.binMD5=194891311A9A53D0F6D2B62DFAAEE8A7,SHA256=23508989368BE56B84FEF9D7CBBF30CB832C046452BB568C1B64D9515D4B8A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.030{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-03062018-025618-00000003-ffffffff.binMD5=A8B30A9F075A01BDAB9C25AD8AD0875F,SHA256=73760B61E58A40F898B3B00359A268CC950B633F85417B73F07D1387AC9CC4EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-111106-00000003-ffffffff.binMD5=B1ECD777AC4C0E55DC785243DA2F41BD,SHA256=AA653EAFD68EC2B66199F93CDF3574980FF7BB216192D8169DCE2E7D5AB745F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-110925-00000003-ffffffff.binMD5=BCD0F61423A8A2E2D6384308D6185507,SHA256=2B3799D06CF6D87719184AAD41CFF70575ED1974801B242FD89D193309E30490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-110922-00000003-ffffffff.binMD5=7824A2EF89D301A90020B8CE701E4E9A,SHA256=AE35F59A383A422728C9915A19301916191288356D2B24A1D730696ACD6EC026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-110739-00000003-ffffffff.binMD5=C43FD2A80A2EED56A8EF3EBCC79B3220,SHA256=3D43FE3C4A38A4246681CAA895B79F58632824D9F18E777D1EE8B3A6AFE17B07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.013{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-103724-00000003-ffffffff.binMD5=0CE2E3897BA225938B339C4B53AE694F,SHA256=1DBB6B7A627A5DB487025853E75232434DBDFB9CDA95A9865F5CDE6437B95F36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-103454-00000003-ffffffff.binMD5=EDD17C68B1ED981BAC7BC7A83A90ED04,SHA256=3C832EF31AAAE364EC179340C8F9AF1E30244B078FA44A220219D8B713C1A3E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:01.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-02232018-102710-00000003-ffffffff.binMD5=1EF3918737AAB6CC0474619243CB02E9,SHA256=6218493B6EC20AC561AF8EF9564E400239C67EFE9FDB85B4B50C1BA39A62BD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180814-231446-00000003-ffffffff.binMD5=6A73A7065003F30265190A5A29156909,SHA256=654510ED3BAFEBBCEBCD856708F021E6F6FC2EB0EECBDF5613669EB60362AE5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180814-230814-00000003-ffffffff.binMD5=8DD92A518F4CC210E334A39D78E36F7B,SHA256=A792265A4C6200D0C92C14F86C1ABB33B8340CCADB568DA4F1D2A61E85747F2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180814-230709-00000003-ffffffff.binMD5=F920E6E4C53AD659865D51DD6A505DEA,SHA256=B88A83134F6E39346E9F924DA637E715C96B082EE1483E322777532B1096E0A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-034159-00000003-ffffffff.binMD5=A642437C77EF6A04CC1F656317CEBCCA,SHA256=5F00235E1D6C5F78830D6F3ACC27755309E81A065E7F4CA4DF659F91404A0D9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035504Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:03.723{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79E4BFA05C741CB7D3EB78D4BBFC5643,SHA256=E5518B2942E43291E4172588235531C9FDBDA5317E650F5A0E1B779E573AF6D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.863{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-032114-00000003-ffffffff.binMD5=E07FC6D0A057E3C9AA92D890CD2D5566,SHA256=4A73212D136415512A1D0AC65A6B61B1B2C8BEB73CA0B90FAC6B6FD0C973378C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.812{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=47E0CB06DB9891A102927F96711EFB54,SHA256=CFFDF223C4086C9C0EEAA875CC6A014ED0D50F49A46794036CF9FFF96F1F1FB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.728{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-031939-00000003-ffffffff.binMD5=9122C268F7B34A1DE189161DD6D4637D,SHA256=D0B8929B7DA4303ED0802E03ACE72E6267E3D18983202BC2347D1439500BC9F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.712{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-031937-00000003-ffffffff.binMD5=37797B8356E86D9A5426D4351F709205,SHA256=74D26461EDF465918076627928334422F48AA060C5231FD4B8AFB1A1A929DBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.712{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-031808-00000003-ffffffff.binMD5=7DCA0DDA2B1A4D0FB8ED4EED565C48F1,SHA256=9D53392301B427ACDF91BFE0A2ADEA15A82E4206B92A21341F4881EC300E1115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.665{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-022632-00000003-ffffffff.binMD5=858CC2D0EDB2F75406EAAA0F3464A401,SHA256=0249A2CD0393011849356B28E5C5CED863D680AAB0B3BE813310496F641E4CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.628{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-022304-00000003-ffffffff.binMD5=D5D7B41B4F78F12C0C454EB71133573C,SHA256=B7977187C37C4B5F55A91FC8E713A92CFCCE176D49A820603409CD713F4F4826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.628{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-022004-00000003-ffffffff.binMD5=61B4A9AB5091B6810FDB616D153DD606,SHA256=6E02BA1C65E4DEA7C9C9845EC9D4D1F3A573A53D69DC48592AF0C76C190B0CD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.612{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-021806-00000003-ffffffff.binMD5=B1B948CC53A4BFD2BAC7C33C7FC237E3,SHA256=60286C9C7C4634666CB4B618C7FC39B339966EC325B1F6F31B719181B81FC5E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.581{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-021105-00000003-ffffffff.binMD5=4F1B78D77C3FB72E1A5BF813C8E0C649,SHA256=3F42AFCD53E4946CF1E96EDC215EF6EBEBE83BEE6F075AA8E2A832787D8579C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.565{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180711-021000-00000003-ffffffff.binMD5=0E4436C9D770F48C046D872225853BDF,SHA256=04F439738C49AF906D407C02374E718756FCFFD22E77A99ABA106F70BD50C19C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.565{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-083420-00000003-ffffffff.binMD5=74F0BABFF87E30C2F2B0C3910840A586,SHA256=7A6110871E6DDBEC5305CD6D3D10590527948051685E5859C177F425AC0362DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.528{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-072329-00000003-ffffffff.binMD5=D64BB168571D2A3EE871633B64C1574A,SHA256=0A993253427E124074647BA3A23A506B7B5FEFF6DA4DEECE1CBE1489F1899BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.481{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.481{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.481{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5232-61E9-1500-000000002202}1248C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000061794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-062833-00000003-ffffffff.binMD5=D98135FDD5E69E777D33246ED75D78EE,SHA256=90DCF804EA3B42CFADEAC0DEB6095FBE76EDA900C7855A2F15031DE721697B34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-062830-00000003-ffffffff.binMD5=052F70C4F612A0FB21EF5651BAE0D25C,SHA256=3671DC6C7F7555E8654C28DB85CDF293B73B4A2D6772A301CE984EA383ED14F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-062445-00000003-ffffffff.binMD5=FAF5AB66EFA8C827BD0511726D3CB037,SHA256=8FAB8C3E1BD3E0CF1FF826571AD74A4A965F2BDCEF9A2A342A46E874C43238D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.344{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-053000-00000003-ffffffff.binMD5=7A482733CA6808AA45108F97B87652D3,SHA256=4508D5246A443F01F4BB3407DA2FFDB4BCF8D256D0106669FDB27CE829C1D813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.344{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-052641-00000003-ffffffff.binMD5=1111CD4DDADAB69D436B3EB8E0018B6D,SHA256=8B5F23E02881A2C17B4D22B474238973C383962E72614EC2A9EF69CF10D32E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.344{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-052308-00000003-ffffffff.binMD5=2205BCBF6BB0983F1CFE0AD7B5D2BA9E,SHA256=847F0A018F727E2350F3F5ACA56359A9706B906EDCD7283B9109B5E744D2D04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-051539-00000003-ffffffff.binMD5=1B409BD26FEBA4C20464C88DD8A45481,SHA256=F85AADB1C81C4E0C7B8D56B9FC8C95B05310ED19AF6EDBEF7905D887E93154C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180613-051431-00000003-ffffffff.binMD5=6CEDC0A798788EDFF7654096CB26737A,SHA256=2E7E31CB9C1C915E9A5D8A6E15795DA290F6B31988EC22C57790D48729B2EB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180509-035754-00000003-ffffffff.binMD5=CF1AC05EFAC518E213BD1BB08C17430E,SHA256=C295DFD181F966D07F3DFB7BA76B8AC5E476A9BC626CBF91D935D5029F5AC098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.213{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180509-030836-00000003-ffffffff.binMD5=518989F6F145D9FF856860B0F20DCB3F,SHA256=19F67F05AE40B9EE0B546820953B540C2E432929AEB67E0E436156EFFA897A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180509-030634-00000003-ffffffff.binMD5=C0FA0686CE087BD24A9453D2EA4A4DD6,SHA256=200D88EBA4A82E734DF7F5977463BE9D97F2FAE92BED9D7268F83613F83F3857,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180509-030250-00000003-ffffffff.binMD5=3110074677F6FBA15D7EE7A52D877F75,SHA256=1DA102D3E2497201906501AD64454E2D104AF020F08C535D043496F929698678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180509-030247-00000003-ffffffff.binMD5=9EBE55CE6FF5A9D68E7B751402BE1935,SHA256=87BE77D2A21C54D157A0333CBAD9E8B634BC90C045D49BA0F4F6A52ACAECAD05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12142016-181714-00000003-ffffffff.binMD5=DC7F9802925E599A427D0A00BE1A6EE6,SHA256=D43037A0E594855E53D313A4D6CBB7A66C012B79C87F947E3DC48BC7A2C73E29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12142016-181500-00000003-ffffffff.binMD5=738739E4771AB4F09E72004D773912B9,SHA256=6A0B87581A5C54D702CAE61AA86947AB5DD04491F4B89CE29897F4E4A0BC8FB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12142016-173946-00000003-ffffffff.binMD5=27A3D03A6A0455E69296503D7CE237D9,SHA256=0806E3CB9D47324A45042BB8EBFD8424CBC61A6F1F58ABF126C6E1B2B3A2CA80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12142016-173524-00000003-ffffffff.binMD5=EB5BCDD8ADDD9437C10B5DC0B24A6498,SHA256=A18AFE7CCE48D888359FC1B75EAB1613098DC7A8CE8995B09870F1B10FAB7DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12132017-224010-00000003-ffffffff.binMD5=37BB9DAE53595D373C3742A762592117,SHA256=998A2133AA19EBDBFB71611D6D4678421ED2550359850EFB8FE18FFA29CDFD9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.097{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12132017-210244-00000003-ffffffff.binMD5=73A9F298EBC41FE3754EEAC192B277A8,SHA256=7D0650437A36777E3A3599D2A27E009ECECAD8A95EBC9D8B096952990B6C67D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12132017-205652-00000003-ffffffff.binMD5=5547DA268C3E826D728FD9874B8FA7FC,SHA256=F6472A957EEBA682FC185F764D088AA81B33852FA8474FAF5C28A492E4E62196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-12132017-205548-00000003-ffffffff.binMD5=BD698502D2ABADBA7C8D8490FA9CA67F,SHA256=0A238BF5668D1E349DD762DD7FDC23A3A4F0D391BBB112EF91F1A0A281E9DFA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11302017-224229-00000003-ffffffff.binMD5=A182190F61F21FD2FC8E65EA6C86A05F,SHA256=D8C58FD156FE549B14B518CD23F68F684363FCC15477F50394CC8F00E2930B3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11302017-224110-00000003-ffffffff.binMD5=2B20CA6B63361B46AF05C174EAE738C3,SHA256=771786D8ADDB05B4C849D3EA86B9B1585BB1EB896E8DCB92D41A61666920D12B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11242016-001636-00000003-ffffffff.binMD5=0978F08A35EF0BBD7482F0AB102BA86D,SHA256=AE05D4EBB85CA8404192F7018D9E19F0C990FE49107CDD3F5D1A28AF18E69997,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:03.029{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-11242016-001024-00000003-ffffffff.binMD5=D8698EAF7E83D33E80F10398E6EA1DDA,SHA256=D35A8E1089DDD4202874D35F6DAF4471EA9CAE662B9659EAE24D17B60319B27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:02.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5911797A079B310AE5D019C09641AF58,SHA256=E8339B86524D35228E20A2CAA81D2A4246DB3BB2CEF2AAE0A3EA1A54B0865F4F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000061839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.997{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\SiteSecurityServiceState.txt2022-01-20 11:57:33.721 23542300x800000000000000061838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.997{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\SiteSecurityServiceState.txtMD5=CFB2109D5021463B3B82292F0EFA72D8,SHA256=F2A0640499F13EA4F65526E2E0D74089C0ED21B618678C41479AA21AFE6549FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-031659-00000003-ffffffff.binMD5=CDFBF09F611F755A3828256FFE8ADBDD,SHA256=8ACB97358D32FFF8992A795F08E28E5528CC1A8AE05C39418A8DADCC569BA7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.981{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076DCD5D7613F217E3F49593175D01FB,SHA256=C3D2706EB19695290391710200486F09D274B780B6007129509593A6AA183B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-204133-00000003-ffffffff.binMD5=4E78C2F170C236924E76F20BD03C1AA2,SHA256=3D45DA173097654DB9C9549BC4EA43F0A528764BE94654445778F22CA619DF1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-203750-00000003-ffffffff.binMD5=3B7800B4DCB8D6277DD9CD008F6BBD31,SHA256=CD76B1A7CD3721094BD968A4CD135364FC2C4D9ABECEA6DFF2B348F83298B357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.981{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-195818-00000003-ffffffff.binMD5=B8183137817BAFCFF39C93A9A279A64E,SHA256=C1CE5F33544034CA9CC7BED2558B5AA93BFAA26C5B420C30B06F0105F2EBD1E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035506Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:04.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD1E54DB02A34F18C657B2F19B2005A0,SHA256=641D8355754FE1C2D818A7085859D148C94770FAF2B17F58D45A0B1B294E4A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.780{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-185626-00000003-ffffffff.binMD5=69FCBCC7666823491BFA644A7C2D13FB,SHA256=BB60987797890597694090D11CB680F1F35F96709E031BF3E5190E453F0A3767,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.742{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-185355-00000003-ffffffff.binMD5=A29DF6210952C5F2918CDA4D1A8372CC,SHA256=35B7CA7FDA50841749E7A3A578B0C8D8E275DB79963B38592302CBCF0DE552A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.727{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-185126-00000003-ffffffff.binMD5=945CB8A9AD01B2418BF87B6D1DFA2BE2,SHA256=B2C9436D861ED113E17934AFC0D11F8B9DCCDA7BE0C74DE755AEBE507709CFF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.727{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-184759-00000003-ffffffff.binMD5=D67DE0BE38DEC402CD586842C2A94586,SHA256=DDDDCBA4740522D56737588AE51F436C3B3B9DEB34D1748131BA9AB78DE0B769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.695{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-184535-00000003-ffffffff.binMD5=FB1AFC0D3D2BB55C96C40F6FAC351743,SHA256=70DA21E73C8FB20989957C776FF79D98DD8F9F6E16268822B174566CA9E7AC7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.695{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-184321-00000003-ffffffff.binMD5=7D9E473B09440CAB911DD07E42BD2990,SHA256=F75F5618359F1D577978F91F28A8521A2DC293EFA0BA8B88685294E6A4A08F1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.680{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-182646-00000003-ffffffff.binMD5=1E583AB018B909389A1338473ABF3956,SHA256=B45CF5DD40179BD251F41B919E9458680D818252D80FD2B91C2FEFCB5F503D73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.611{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-181911-00000003-ffffffff.binMD5=4C671D97AF51B223E12328199EE9531C,SHA256=E736C4E316935852B66AA450B3E591273B16E5E5E492E699507E2DE76380F455,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.611{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180916-181813-00000003-ffffffff.binMD5=CE6CCFDBF2769F95902534BB1DCD4E47,SHA256=20904389E85F9E7F5710C2F1C0FB855D2694174C43C15534FB32D6165EBEC8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.596{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-005433-00000003-ffffffff.binMD5=C81778D7E0B7F3FF1F0CF269FBFA0807,SHA256=DED3E5D281654BD43A0CFD456380DB570FFCF61DAF336B66394C5054D93465F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.443{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-003321-00000003-ffffffff.binMD5=041F12576B02ED32C95B2BF3CD182D93,SHA256=6B3EF2BBB61894841D90ADA7F15E60BF26FF0C269672DF7D48167EE92106B994,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.296{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-003101-00000003-ffffffff.binMD5=CBDA29ABEF8D061B770EFD9271853C05,SHA256=5A50E5F1176AE461317177D759C667CBA48310FEF7AA7C9722C5CD55AB37A16A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-002924-00000003-ffffffff.binMD5=289B48B4621D50D18B1FC937F82ED3EE,SHA256=63596450C909C8B48C26A152FCF3EFCAC677F8D9986A9B1D6E40881FC077E30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-002921-00000003-ffffffff.binMD5=4B5335040FBAE083D5BA19865A46A015,SHA256=90D759EBB898FDB647D5EF205EC3D846BFF4DD62C674795B3EC9977A3F3CF9B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180815-002756-00000003-ffffffff.binMD5=F6E7BB5C42EE9764B60669E0C9FC0D8C,SHA256=64BE9351E11BEE9D902606802541C4026DEF694BCA251639203C87BCFF1DDA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.243{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180814-232140-00000003-ffffffff.binMD5=A2F53873D6D701696927FBA912A5FFA3,SHA256=0FF235A04B1F3FF951A30A8B48D32B349E791C7FCA6907F11BAB37E003BF01C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.143{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=330C9CC804E95DBCA50054C3FBFEC4DE,SHA256=04452E8CF4999F966250B9DA076C2F3BD4589D24F61551ACC2F06EC2573A909F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.028{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20180814-231815-00000003-ffffffff.binMD5=5B4833B88A18A7CCE704ECF90725A1AA,SHA256=D7020ABEE85BA7E04F5A8AD50BE9473AC968624339F0D6A7C44DAC877FA8EF1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035505Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:02.152{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50991-false10.0.1.12-8000- 23542300x800000000000000035507Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:05.754{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=373DC4C6FA9A17A907CD57155C89BA74,SHA256=5043057EEE4B873C05C25C4000A98E5B6FFED76004667BEF95B20252F697E66F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.982{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-073757-00000003-ffffffff.binMD5=E2D4B7DD77E76080DB044F280587F82D,SHA256=096645AC7484335F09775D9C0B7D0450CB6B96CE7CBA18DAADD1963558629621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-073659-00000003-ffffffff.binMD5=476951E3BFDC64619C07526A9EF4133F,SHA256=01488CAB258DC59F396FEF48FC62C10850C5974E112C4C2B52285D18956B825E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.944{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-152520-00000003-ffffffff.binMD5=A4553006695B029419DF346DCDA49D10,SHA256=FBED5EA1F04FED0E841A6BC065B2F553D209C76173DEC0073C868C2A3FBEA873,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.928{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-152014-00000003-ffffffff.binMD5=5774101967245B867EA0D42B2916827A,SHA256=7B7146849C14E2CA4B507E296C1BAF23871E2BB67E6C85AE8F18FB01CE28DEF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.897{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-151105-00000003-ffffffff.binMD5=D536386D83A0F342F246140A3F68974F,SHA256=7DB5A2FA9EB2A341EF0A44061A9C61E00B744AB8E1A58156E0253DBEA8203797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-150848-00000003-ffffffff.binMD5=4434670FFD95EEE9F8468169AE659694,SHA256=75162BFED52CCEDBE455BE911E33199BA841FEA96BCBEB97B134E4278D08DC43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-145908-00000003-ffffffff.binMD5=F488A47ED303197CDCDA634456309330,SHA256=D266294104A6754D6160B04A7C7A97FC4D9B436ED08636F6A81DEBFC84D8C7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-143812-00000003-ffffffff.binMD5=D73C53CD23AC97F6B99B22F81D784750,SHA256=AC7D25D6AF247A4DFACE6BEDEB70EC686B5BC501AC1AB05CF2A6FEDE4CA4D3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.828{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-143346-00000003-ffffffff.binMD5=6477EA9112266C66C47F57CCDD9DC773,SHA256=E752B238FA0F60E0145A4EF5384787068FE146789BCD9BC757B7DC98C4F5C5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.812{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181127-143239-00000003-ffffffff.binMD5=B7FCD0AFAF4A9BC3A8C4BCCC022D68BD,SHA256=C184ED8225DDF0D35BFB17B7EBFEAAE0E8274A0821C7E828A2424A2B2CC62602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.812{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-044752-00000003-ffffffff.binMD5=7E05FE7CFB0D76FD026C16ADEB45B6A9,SHA256=522712722F389DD22CCBC6435EF2F7C081ACC2F4B1611A97047B7750E9ECACA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.796{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-041936-00000003-ffffffff.binMD5=084CC8D337B7672A52BD8EF9C5E39138,SHA256=E6AF78F1ACF4B146FD0EF8F0CE2831E1895C189C7CD0DFC1C9C973E69B85DBF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.565{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-041800-00000003-ffffffff.binMD5=42C9BD161859CC718BE07D28C793F20D,SHA256=660899D6E77E20C331C88B00671ACDC724A5CB4A04074B0B136D5555529AD5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.565{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-041758-00000003-ffffffff.binMD5=FAB26BEF5BBCA2B1A5E29F30537F6F86,SHA256=4A9D6FFDF51C86F03D1850F64D94534BF8DF671BEA210FE836A4DC71011804C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.565{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-041628-00000003-ffffffff.binMD5=06BFB786D09E19A0D0E69529DC6FFFEA,SHA256=905EE4F45D93B8A8F1A72D88FB2FDD1806F449D47AE4D5C8D73F7ADDF0FBFE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.562{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-032043-00000003-ffffffff.binMD5=8CAF0BB7CE42FFD9E1ED613B4DFE5838,SHA256=86A120887C4DB69F332FAFD8FD6E6CA0D306F10EC35AD92CADAE2C8A57779C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-031830-00000003-ffffffff.binMD5=56E7888F0798098CDD66EF94106DEBD2,SHA256=A6CB2BD29CA6FFC50562AA27BB3766332F4FA2146CC4E51E0494CB26F8BE0507,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-030854-00000003-ffffffff.binMD5=756097A70D81E02D187568468C1480AF,SHA256=079B307F7E9DE19AD7C50CA452CE597CAF2DCA50B2FB4AC8D42BB423ACCEFAFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-024829-00000003-ffffffff.binMD5=F5136AE292599F81FB652EFAE8FB9E69,SHA256=15B13EF2EFEB9CD47107994DDF15F66140996E01EBF8F1415E3CA181F28C6FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.312{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-024306-00000003-ffffffff.binMD5=C057591E7877BDA5ECFBE135F30AA3BC,SHA256=46D75D6C83E8E19101EB6E3666646FAB39A6C3E24123858429E78EC3EA3E6BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.312{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181119-024200-00000003-ffffffff.binMD5=3EB76360059E5EA930714F9139767566,SHA256=C7CD4E600885ACFE6911DD24282983680454DB1344E1D45A76EA327FCBDF79B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.312{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-052026-00000003-ffffffff.binMD5=AB4EA0F91E9129DC29A021A36F72FEAA,SHA256=0FF1F2FF50C14F4A554422A5A813CE1B27C59CBFC05F1D0483383A76B63EE5D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.297{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-045751-00000003-ffffffff.binMD5=50E0397E22A940EE3A9543DC77C97DCA,SHA256=9D3876D327CE16B9B066FC78C2632C10E3368430918980681EFA6B3CC4822501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.128{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-045618-00000003-ffffffff.binMD5=2814FC0B9AA5AB60225B6B42616F0D45,SHA256=295EDA0B4C9390C3CE6ED00E70D8075378343E324B5DFF04257E7F18E8523553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.128{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-045616-00000003-ffffffff.binMD5=873297D172B4483A4A0753B586E96E09,SHA256=A037124BFE177BB4D998B1C0BCE9C4D1ED14867FCA4D467278710403D4AB0EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.128{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-045449-00000003-ffffffff.binMD5=4007CB8661704CE19DB1501BA15DD2C0,SHA256=D9EDCF9BD900BB01AC3906B779254D0C9096DC1311EAE390572BDF25BEEE67A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.113{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-034646-00000003-ffffffff.binMD5=93EB4C5485479FE75F15BFE20FFE8104,SHA256=96B4E0D8F2BF2AE359E4B73DC48963BC050DAFF4FB1801AB4054253766E1EA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-034429-00000003-ffffffff.binMD5=463A64960D603BB52B57568443E96713,SHA256=580407C709E39B2BDAACA8A5968195194280CA849CD341DC40584AD72CD801DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.066{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-034200-00000003-ffffffff.binMD5=E0E968E1BE139BFD7CC7786968DE3AFC,SHA256=814D9E753A31C09B28F1497CDAD0143B1FEC6A744CB88765DF7E3099C11A8632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.044{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-033935-00000003-ffffffff.binMD5=5A7B0A85D441DB544CDFEC6B641A333E,SHA256=722638401449F79B42A9BB48614E441842641606AD578850D785B52253069861,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:05.012{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-032141-00000003-ffffffff.binMD5=B723F32709D40466E86DB98EF352D08C,SHA256=C98AC49890037D8E33EAA8D560B52133A6A8CFE492F4849E2B4AA3B3C6F56B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:04.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181014-031759-00000003-ffffffff.binMD5=D78BD07C43B5D991C4D55EAAD7BED0E7,SHA256=5B82C457F8B44C4EDAE4F033028C915E39D96EF3A916B010FECE241C127C9AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035508Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:06.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32996EAC8D44DAB71A9AE7B958DC5F76,SHA256=D14760228AC84F820F3453BB6C74C7E2AE6967879421461DE38DDA8C1C1C059C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.965{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-033846-00000003-ffffffff.binMD5=2C6CF1415221E495320B2C32570A5ECF,SHA256=093034F3867C6463620218F78E3B2714F0BBC523F68C9741F6C169BBD7E4A7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.961{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-033635-00000003-ffffffff.binMD5=FC258EFB6E9253EA07498A55C1327F1D,SHA256=BAC6FA4595F949D507D655888F6BA0128B216C5FAE014BF4F6DAF566F29BD49D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.928{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-032656-00000003-ffffffff.binMD5=33F686A76F1902EF80B6BA1AABA768A8,SHA256=2EF0A142151C144039CD6854DE8DD225BEDBD509FA832EFFD38F69F053795C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.912{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-003402-00000003-ffffffff.binMD5=5F6775CFB83995342E82797ED0D75A64,SHA256=EF34CD0C95D8C74F4E5C3D25915AC5ADE78AD0A097B25B5BF8331C4191651273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.697{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-003301-00000003-ffffffff.binMD5=76CDE8421A763EBDE115EF0254FA23E9,SHA256=74C01F7DA66F224169BB2E6FEBF13BC87E737F13E693DFC486ED13D0BFD919BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.697{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190110-010703-00000003-ffffffff.binMD5=9144FF8A22FE3D499E5679D490F695BC,SHA256=4B5FA08A1E1FE0DC7AFB8B4151954EBB729D9E4E2280A03C9988E6CBCA4925B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.697{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190110-002435-00000003-ffffffff.binMD5=9ED064B80D015684456BDE3C5AF9A513,SHA256=AC8D86CC60610B42AAFFE231518AD7B764139F10C7CD64FAD63B8C20DCB988BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-230044-00000003-ffffffff.binMD5=B02C06251AB0B0CE94FF9B0CB8E20BB9,SHA256=C346B2831093303A2F9F91A30A368D2193B942D046F47927CC4F5F0DF5A0BC01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.544{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-225829-00000003-ffffffff.binMD5=DC15A1824B8852CBDD85D5CDAEABEABD,SHA256=9126621573F0507FDAF46EE103D21365FCB1A59294EAA29B2972871873442CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.512{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-224847-00000003-ffffffff.binMD5=847CD865CEE4BCDF73BB9924CE5DA2EB,SHA256=C88F1B56F89828C872DB577E99E0D6E7E5ADE49903314C21E59AA8AA14F09F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.512{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-222749-00000003-ffffffff.binMD5=F2E8FB69E7CE44439824A4BF045C99EB,SHA256=1899F4BB2FEA1CCBC62518CCA5A3BEDB8B28B66E3A11DE51281E6D9AAA52E254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.397{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EC8EE603DAA4ABA32715CA5B9313D2,SHA256=EBF1CB1A502FC4CCFFD61F848E15A889F89025BD7F6961611083BF6FC7980AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.328{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-222130-00000003-ffffffff.binMD5=CE44F9475E46528A330B901E87B89FB3,SHA256=739CB944711E86500B35D2D6540B92C1413469F50397B4F2AB94934A5D944426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.297{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190109-222025-00000003-ffffffff.binMD5=79D8C525815D9A4076B0A3234E85B36B,SHA256=C3378C40CC33DD461139547CE3D3EB9AB1195C9E050179FA11DC90F96E72ECA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.297{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-092626-00000003-ffffffff.binMD5=30CF5F5D39259E599D48F0B552F00501,SHA256=4A0D97CE675A8FF4983BE6FE8A8353129DE39E0BE618AE1386D50FCF00BEF5CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.281{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-092406-00000003-ffffffff.binMD5=E1C2580F0FB55F3886825B04155BD029,SHA256=97E542814BD23E66FAA18EF2E633C45528B905DCDBFD87881002A939D08207E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.281{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-090136-00000003-ffffffff.binMD5=75FF19399C257DE89B560D715539DC39,SHA256=E8CEA5C70821554835B5BC5876C311FABBB820C44F94811286C67F09EEF18567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-085954-00000003-ffffffff.binMD5=46C32E4E422D978319B4B8DDD9E00F1D,SHA256=6C02ADD1CA4C5933763FCF0C27360D8C65A23240AC96A53CC568E94C4D2BD66A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-085952-00000003-ffffffff.binMD5=8CBBD6403C954BBAAE0FF2919D41956A,SHA256=379183316D9100935A9E82257D7959A8F9E1AC99874F7664FD924F99E7868D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-085830-00000003-ffffffff.binMD5=E4DF678FD565C202E47ACA628CF48EDB,SHA256=42A2ECA21929B14303101856F26B002B30A27CEEE0557D8A6B30409D477E654D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.144{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-081337-00000003-ffffffff.binMD5=278AD95A560C78C17579023A203063CD,SHA256=403C233DB21423D817857F30FC0C29846E8D0909EC3919E8C9805BE783CE2961,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.082{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-081126-00000003-ffffffff.binMD5=75E67217F1EE84C83B301EFC67FBF3E2,SHA256=514D49022817C78E1F3E9C6DD7987096F13A803553F827F583C40444218495AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.044{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-080152-00000003-ffffffff.binMD5=56C5EC8C1244D46FC6311B8968C8D200,SHA256=6D9E774E7D474B7CF069F9AEB039C7CA1843F462F6495B52F3E7F19DF7A746AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.044{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20181212-074219-00000003-ffffffff.binMD5=C8F4BA614AA92F485969DD25E84113D5,SHA256=F35E45C9F15585B5DB3C45B13C753814AAF3A56F5878147549A9710785081F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035509Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:07.801{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C051FE899053CCF967D4CCEBAAE314BF,SHA256=D6A8C4F7B38BBA400EF2AD4AA9A4D04487E43841CAB68E7C1B329E20A0D6F459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.965{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-053308-00000003-ffffffff.binMD5=8C9ABB9D6F2A012ABC0BAA04E0A900A5,SHA256=96887406E2CFAC501A228813F4FD79A6582315CC630B816A1349ACDEB11E8CCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.712{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-053209-00000003-ffffffff.binMD5=4B2EA0893255AEC54F53CA22930DAB0C,SHA256=A94A70CF3D1D3E06C323A95951CBD35D949B5643870972E00B69C66F58A0626F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.681{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-014353-00000003-ffffffff.binMD5=6B8828BB7FB168CA210A0BEE11160C60,SHA256=6BF466257F1C4BD40BEDDE97EF65E1B93A06FA81BCC03B9DF5EEA4257A3AACA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.644{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-012129-00000003-ffffffff.binMD5=B45C1F60541122D58A71649D4A8C7D24,SHA256=B2B48FC4BEAA42480AC49343A3DF95E200039CC6EC39EB469172ED2F21AFE7FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-011948-00000003-ffffffff.binMD5=7D350455195985B00A15B1055CDDE1E6,SHA256=59612F2D9F119E4848908C90D490E4AAFB88E344EA0473B8F35A86AC78FEBF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-011945-00000003-ffffffff.binMD5=62373FDDC003BA7F7EF8115913AA7D0D,SHA256=F7A11C52E6D9A34F746ACB83D296A9D57A039F12A44A7AC2505C1E7A0D7BD5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-011815-00000003-ffffffff.binMD5=7AAE5D9E56979AB8B3DA1F2230222A7C,SHA256=0258B418FE5A9011F576224F32F1F9F130B9D46F0FC0BE8425588A362DCB0037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.613{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-003222-00000003-ffffffff.binMD5=62A64BE725FC8CD4C98209A4C1DE3734,SHA256=14E19C478EB514FC0549C37E1223DD2BDF3B647A415C78E5FA9B9686DD02F9C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-002954-00000003-ffffffff.binMD5=D949E7FEA7237FE5E80983F4A77E2EB2,SHA256=5E272B566B318C7EED2B300EF688284882AEE0F1035CB74EEEDB12809E5B1CBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190314-002001-00000003-ffffffff.binMD5=50838AE527B893306FD56086A764B5F4,SHA256=C643ECE2F24470388D83E74ABBAE33974F70121A5F8D0BE2A8A276CD7F95E33D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.566{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190313-235622-00000003-ffffffff.binMD5=8A4D6116EB9424DC46397F347FE43C44,SHA256=4243B623A304A5950FA12E173A7762AE23CC8EC45BE399AA6259DCC79DF67F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190313-235518-00000003-ffffffff.binMD5=87C7F6753DEC73BFB848E0275CB87E04,SHA256=2A9C9A78276132238EBA4B99034F44EEFEF3CE0FBD60ACCD9724D46125A95352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.497{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-081100-00000003-ffffffff.binMD5=4C632388702605A937B450DB3CBFE637,SHA256=6ACB663C2BE8F26F2FE7081786A1DC73FB3B3291AABF0230A3B2859EB8829071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-080828-00000003-ffffffff.binMD5=ADA27EF957475937DEF25BF18DE0B81F,SHA256=1ED4C7E68BF6862B13353CB6EEAD3934C869E63ED96E35F8281E8DD6EA960D03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.481{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-071418-00000003-ffffffff.binMD5=E640036662B46CFFCC7F68A16FF65C63,SHA256=30DCDBECC61F4CA40A6FCA833E34A007BC51AAFC5AB6E8C04F830123E9552670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.298{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-061739-00000003-ffffffff.binMD5=5532CE04359CEF660A973DB244DF461A,SHA256=5AE7DCC17DA8C5B83DB3DBEBB72B765E927226654F413DF94C7D79336A78733F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.266{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-061518-00000003-ffffffff.binMD5=820EDAC1EFBFA807DB815F1B4E968D63,SHA256=B73AC8D6B08FB0EF4AB6B86826CF45B3EE87D0436CB6ED5DBC84ABBB4B6344BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.266{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-060530-00000003-ffffffff.binMD5=3343975456F3B6A883ACB35A5A6A05FA,SHA256=8E037B08C99BB5A2428837B6CE1DCC36064D19D0B257F03AF225107A0DC32692,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.228{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-054337-00000003-ffffffff.binMD5=90F768DA30EE75C84C998A2139726869,SHA256=A4FFFD0D8EDDED8549A826F2FC82BDF8C9B597605CABE48A6F2D582BB33A3D23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.112{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-054039-00000003-ffffffff.binMD5=16406E71585105FE2806D6425681D2E2,SHA256=A86D773548351FA08AE96D0D35D11F48BF61FCC27112995295D0B9BE61507AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.112{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-053412-00000003-ffffffff.binMD5=EF68B132D9D660F5BDBD6780C7165616,SHA256=2FA7D81544004A0F9B8ADE77581988F5ADE9E7718B9BC997E1EC44429AD0CCDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.096{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190213-053313-00000003-ffffffff.binMD5=6BD1BAC7A1BC707C8D9B0E2372AE9606,SHA256=F5F1AD52AA1C357F941C4C90CB52FB5F5A36EAE365145C8DBA778B6DB3F1C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.096{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-200514-00000003-ffffffff.binMD5=3B27E3B83A9DF9533DA5976887242AF3,SHA256=F603A65C9F56D20864F1FF2214F514FED3ED981BA7E62C8043EC42B4FC0A9E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.065{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209249475E9605E6B7F26EF5084A11AB,SHA256=8ABAAE83C87E6AF33A6EE7E37B5D9B65F342121F6D217B106C344934B20E8EF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.065{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-200334-00000003-ffffffff.binMD5=91D4227A222C23908BE785D97A9C4E30,SHA256=87F18573BBED835B4B008261EBC4931D9C335998A16F8CA7A3676AF8B0A6B042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.065{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-050816-00000003-ffffffff.binMD5=7945F80DE444A84608D04B14D6E56487,SHA256=BB758FE02CB002C6B03E2DDFD236E8B886EE5EC6264C8AF67A3C20C284A13C54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.043{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190208-042526-00000003-ffffffff.binMD5=5BE91A0BA2DF4FA32A07AFBA5F98872D,SHA256=7861BDE65EAE106B446AAF0395598A2A7D981508F65B91E4BBB686FEA75D453E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035511Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:08.976{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-104MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035510Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:08.833{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A2B566E6535BD862DA64DE06F4ED648,SHA256=31E07297C9FFDB111E891BD68B48037683DD92EEB3A9D71A89AA91DB2164FCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000061932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:06.833{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000061931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.612{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ED6D3CA06B2FB3A4601F9297C45475,SHA256=186BC8AFBC6C3CF5416364719E77E496BFCA235C1396427EC964D5D8DCE93F1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.381{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-052804-00000003-ffffffff.binMD5=E0C6FEE9262AB01FFABCD3C687C099B8,SHA256=8B86B99622ED68FE7FC57CAB9CB4B90E5CDB58668ECACE4F52D2D85CA859053E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.365{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-065648-00000003-ffffffff.binMD5=DCF5F52BF88528BA5D7A34A8A0BFB264,SHA256=6E086B1F4E5C1DB3391B39FD7EB181CEC9BA963CD2F613A24FB4C13FD56A27BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.097{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-065451-00000003-ffffffff.binMD5=02678F335A244AF3DC7D8BF920B38ED3,SHA256=F227B7DB4050E0B19AD32AC765639CB72B23F312B6EFDF148275F6BB5AD2E07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.081{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-065449-00000003-ffffffff.binMD5=BDC4348B9456E4C5B706B24302BD113E,SHA256=689E91C79D498D4B8E7142386598B258F7D39392EAD094A6381BF493533D3F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.081{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-065325-00000003-ffffffff.binMD5=FCA29651550612F744E221C62C263EFE,SHA256=F4A4DAA9248A57F90B6668210A16849AFB891819430E6D1E9C24F875C4C5B6A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.081{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-060848-00000003-ffffffff.binMD5=039C98A263F265D48C0D3EC85C96C1BD,SHA256=791D665EF3862EE6A51F80001324BFD8C4B8C22FA33DA9399A0418EAA838BD42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:08.028{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-060641-00000003-ffffffff.binMD5=DDA7900E7B4EE2F20287F87DCE24D622,SHA256=AEB8C95E478942A52C61EA9CAD63BCD9A64DED5DC80E31E22F45326DA75FDE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:07.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190421-055710-00000003-ffffffff.binMD5=6B53E1028D9BCD0F249ADB4C5F5E86F4,SHA256=FD0CC51A5560BBD3DC1427ADB56A5E62551DC2B910E7143D2A64AA31F6800521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035513Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:09.982{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035512Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:09.872{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E14530497CCE38762EB41BF9E19698,SHA256=B4A2D20540755B141D62E65C011FB5884E8F2DFE5C71E6592027F5E2705409A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:09.380{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E5A0E6720133072BF111E3D27A7206,SHA256=C398DC2063C463AE712C5E2FE21267D7538974EC804398D2CF655A0C7C190856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:09.280{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-060442-00000003-ffffffff.binMD5=25C5BCB5176638FF7B8321BB87F6DD67,SHA256=6C9B56655AEA7C8FEB6D108714368DA0785F285D3AA7969886502ED206F52AB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:09.196{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-055448-00000003-ffffffff.binMD5=DDD9698141D111F6702E3483543B3D73,SHA256=3958FDA428CEA693838215FF75F570BC4B55D98DBFA9B9A75BEF40CBAED00473,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:09.065{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-052856-00000003-ffffffff.binMD5=E093712E84B60F401F90A2C1A81F182A,SHA256=CD0B45437F46ABE4273CD5DAE204A2CF5698F779A5696BBC771C58D6C4F6B824,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035515Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:08.161{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50992-false10.0.1.12-8000- 23542300x800000000000000035514Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:10.874{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89F95E684783D2949F88AA5AC6DF95E,SHA256=2384291474E4A935821481BBD1299A30D452E772C1241134A91BA59AF67585BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.511{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-052747-00000003-ffffffff.binMD5=0E5B06D6A27FCF7BD55808023165A3FD,SHA256=70DA70777F4C73152F6E521F32C26E5963E6642042982DA504729E68FA809ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.442{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-052640-00000003-ffffffff.binMD5=B6FD976FDCC009E11078C166BB74412C,SHA256=816F3CB03EE79FF3F2978293092DB29B414031DBF1FB89024D55E95C379FAAAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.442{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-073728-00000003-ffffffff.binMD5=C2E91E3E4256BB685BEB23905BA29B2F,SHA256=A9F874362945FC925394738D3CD40F6D7299BA76CBBAFDE3AACD72C50F18F50D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.395{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD8B5D515DC1431231A3BA049AACB335,SHA256=8A3B4EA03523883939763BD21DB17FCDCB97A4A8166ADB8D16F6B3E63FC37C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.311{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-065655-00000003-ffffffff.binMD5=2B055C0A8E4EA938844BFC21AD768C43,SHA256=783D42B3858509881234E126156E7063413B02E2F310ABDC36BA4AD5F5C76D31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-065455-00000003-ffffffff.binMD5=77CE483695D4E05BF2CBC22DEE4B73B3,SHA256=20599C862C81BC9A3A804374DC00D46BA93107FED6B2183B18080349A5C3D62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-065314-00000003-ffffffff.binMD5=0965AF5A1C5723553F2B84100BFE0F5E,SHA256=0778C438F33DE0CF81ABFEB3BF8708253D85194A240488AA7A26B91929619298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-065310-00000003-ffffffff.binMD5=A3E433539B73052F53041810734D86C0,SHA256=B0B44824B4A22CEDF36A6FEE8E84B54EBEA2C721E2AAEDBB73DB7FE5F4320542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.162{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-065204-00000003-ffffffff.binMD5=62BB206289ADC091FCC912C800016001,SHA256=85AD7AE3F118CBA1D984FB9E9964693705A12BC6858844686BBBA4A0A54C46FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:10.111{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190426-060711-00000003-ffffffff.binMD5=C2781416640C1AA2C38522A5552B1CC4,SHA256=D52ADB6DE06A0B4E7DA588A10C149475E342A3AAFEAC6D4ED5746FA90C0E4BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035516Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:11.890{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C283692C2928E48708D872D6AA19D1,SHA256=CC1E1E183F49B1960782B936F530D15E5FE32ECF307BE66CE520E3FEB055FEB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.874{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B63-61E9-F603-000000002202}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.872{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.872{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.872{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.871{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.871{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6B63-61E9-F603-000000002202}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000061966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.871{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B63-61E9-F603-000000002202}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000061965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.870{67EB100B-6B63-61E9-F603-000000002202}2352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.539{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-052748-00000003-ffffffff.binMD5=9012FD33D6619B041864960B6BFC1D99,SHA256=0F419C177FC774501E0E6B8DBFB68B2EF157A7FA22930B5F881229A0CD59737C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.539{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-074314-00000003-ffffffff.binMD5=628D0D2F55B5EE7CEB6FB6CB292C25C4,SHA256=A3769BB60861000B99E3549198E99F50CB78B33D153E67E6B9A376716CEDC4C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.412{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06B73F795982F03B1B0D7B2BE547568D,SHA256=359DA1313D173B02E7B1DBDA595E0A2BC03FFB34D531494FD64B33C9B1219787,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.367{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-074058-00000003-ffffffff.binMD5=D2D01C288ECA48F8BFC387127C19AE39,SHA256=741FD32B2776B21DD9D0C99CE5B4500F8349991AAC073DE0308F6C67C7D75B98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.330{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-065518-00000003-ffffffff.binMD5=9FC443036900F2E049A367936E72C0C7,SHA256=F04CA846441146FCE0A03AEAD6B921BEB2F1188B303EA787840A607E9E5BE41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.242{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-061831-00000003-ffffffff.binMD5=C13F5D83FF48B48C026C17A02E7CCD2C,SHA256=AE9B53B1F6BF7BB4EF40A0C8B022C1F3295C1100AAAC4938A2B0FC8BFE50AF89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.195{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-060550-00000003-ffffffff.binMD5=D977B19A0DDC491453685957CF6C9121,SHA256=DF45F1F4BA25420FA5C20EAAAA6A2AA20431598A4C25536C36483A5F3E63283F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.164{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-060323-00000003-ffffffff.binMD5=34A9D2CDF6920DCB6B1D477039C0CCBB,SHA256=6E0F9075C404E20BE41C07A8B5245965296517D00EF87A416BB84F5DB4CD303A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B63-61E9-F503-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000061951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6B63-61E9-F503-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000061950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.126{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B63-61E9-F503-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000061949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.127{67EB100B-6B63-61E9-F503-000000002202}100C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000061948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.111{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-055334-00000003-ffffffff.binMD5=6B8DF05F002E63E02E8E56CA2844B36D,SHA256=3589FD0D42DBF0DF03A43D63B32FDDAC7F950C8222C1CF84DD2A7BC3B7E746B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:11.027{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190515-053315-00000003-ffffffff.binMD5=814DA99BD837E9FF811771F4D3789549,SHA256=743F1F9A4F8E4FFD8608D94AA902B4E450449C95F05A52639B4847FC55B7E586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035517Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:12.905{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=117B0A1B31FFA0ABD8A1BA8E77D33138,SHA256=8468D2D1AFB8D0CD13AD408C1D3A418BB2CFDA0AF8E48C9F104DA5FF6776F5B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.992{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-180314-00000003-ffffffff.binMD5=9B0BCC124DBC0281EC026A3F5F2ED5AE,SHA256=4ACA99F9CB5D5E318B11A3F67DC4827D98FCBC9FCC3D094BF024C2D99EF679C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.976{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-174232-00000003-ffffffff.binMD5=0E5DBA124BA414E4D30957B4991DE5FD,SHA256=63349EF2484449432792B538DD9FA0947470B2EF670359EED8B6F3AD381280FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.976{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-173909-00000003-ffffffff.binMD5=8CA4CD02842F05FB059123C005A61264,SHA256=4016EFD5A89AEB6DADD9F6486E7B055E67FFFD448A784740F58D86741A66E37F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.976{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-172855-00000003-ffffffff.binMD5=5136A7D1EE008EE1042F7CC5DCFA0150,SHA256=88D8DB9D25CA6E2F999E73EA2F753CFF0D61A4D172443D18AF26607F1DB04FD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.976{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-170051-00000003-ffffffff.binMD5=D04BFD324339F37AAC820EA2C3FC0BFE,SHA256=EFCBD9E510B1E2D3FE9D724D6239B70EA6312ACF3280AB30BB7B58F1698EDE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-165926-00000003-ffffffff.binMD5=A53A8210F3970FAEBB1B55B5CEA6BDE4,SHA256=CE51D576319C34930DE31B91C114ED590FD02B78889746752647BBB8E5B2B711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-071709-00000003-ffffffff.binMD5=68E691CBDE2684C1D8EA930CEA413386,SHA256=150B206EA36D806091BE130F92CB4DB508DAD037D165FEFDEA7D784DB1316BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-071427-00000003-ffffffff.binMD5=40130F54471289EA6E406F5AC6A5A8CA,SHA256=F63C5CF1AB7469FD197FED3B4C050E22F0768A4A7C63D58017D6309E9373FA45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-064510-00000003-ffffffff.binMD5=E47605DE35E1A29234CAB16446C420E8,SHA256=58361F6C0F8CC719C0A4309275670171B41FF9681BA2DBEC444B7BA8EB8D7B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-062852-00000003-ffffffff.binMD5=4D84FCAF77F8005125DD9C08A3F6B727,SHA256=6FB9997651114ECDC94FDEB2B8F29897407EDA07DBAA7DB140094AD711E7646C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.923{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-062848-00000003-ffffffff.binMD5=67CBEEAB48AF248E06DFB7EA64D87B21,SHA256=F18F4480248CA2F3AF2683BDCDB40966B649A7C812C974EDEFDD9E48561C6191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.907{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-061045-00000003-ffffffff.binMD5=A4E229F489145647C89232C70863FB08,SHA256=C95193A3025D73DA23612049ADE8BEB1524BAC13670AB3169A45C8776C226AA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.892{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-060731-00000003-ffffffff.binMD5=454D0F3639AF8D83DBEF2C0209EEA99D,SHA256=DB7D96AAC57B5AE40B2A98F0FD2D5964A3E90FCCFAAFBF2480C4DE62A2304F96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.892{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-055723-00000003-ffffffff.binMD5=E38A3C8005DA4A1C50492269FA3358F6,SHA256=3607360EF8B765CEF89D5ED0FB2F41C809151B5259DBF10736B6A80B4A759872,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.876{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-053503-00000003-ffffffff.binMD5=350AA070CB4285BE99B020ACE8EF7956,SHA256=2FCAA018A7DD5770156BE9DD96713D203900CD6800E0E23EA7E79EB9B62EC9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.839{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-053001-00000003-ffffffff.binMD5=B9883179059130ACB93958EA39D54B7E,SHA256=63BE133C303ABF5EECE57494180AE952D007D567CBD061B6E24269703168209B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.807{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200415-052855-00000003-ffffffff.binMD5=DC671BDDC5E1E5A44BC4F81C6A01380B,SHA256=3C8A1E49C55208A018D188200839C395ED6F4B6BA69D05E239109C5F199B730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.807{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-073404-00000003-ffffffff.binMD5=329898A5CB05486EC4E10DA71CD39F8A,SHA256=5F1E716766D3BA08F2ABA632F847A60CD1B3747DB8545E72A4BB7B6217E81A78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.807{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-073131-00000003-ffffffff.binMD5=7F38CBA44D9D745D789E552B95396B06,SHA256=0B086BAC536BFB76B3C74F2F2E3D46598687B6F2783C0274C3B73F1265D04A0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.807{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-070113-00000003-ffffffff.binMD5=20BB5BACF765A670025A400EA178DDD3,SHA256=E43FC806D15FBC102C931A23396CA68A94BFA888C3A3DF7DBFEA671111C22EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.792{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-064247-00000003-ffffffff.binMD5=9492DAEBF833A4EA7278E1A1157D03C0,SHA256=C970C79533898710BEAB14BB18D182067587C790BEB7392ED5F3032F819010EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.792{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-064244-00000003-ffffffff.binMD5=E5B3E71C587888E3212EA8D3F23008D0,SHA256=91B2EFE8DD9CE300C1772F9E851E8FF0136F2AF854C71836A79175D1DB901858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.792{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-062340-00000003-ffffffff.binMD5=9A096D6A069F7B8F628BD72F4558D180,SHA256=01A29FBCC2C9C6A88C3AF68FF055EAC85439ADF1C8D32BB19496B570F1BF6723,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.760{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-062022-00000003-ffffffff.binMD5=87D7B3155C029DB3AD4E4A998C1C08B3,SHA256=DA491A711C6C49274DE73EC0918098F973ED1B70EA5AEFCDBA4E385C41503204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.760{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-061014-00000003-ffffffff.binMD5=6C7BD10B19DC83AF4E634D07407DC331,SHA256=98002A96E78349EB683F6B220052E6ADDC9DDEDDB09977025AE1BCC87FA67028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.760{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-054437-00000003-ffffffff.binMD5=C67E468D598F80B73956A74D6D27E08B,SHA256=A4D7BA443295DCAA6990861DD713EA0016E9454FD0834D8B0ADCEC9BD7FDE62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.707{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-054114-00000003-ffffffff.binMD5=572856082539AB16D2C9EB91727A15B9,SHA256=D6E94970C1525BBD3DCC57A698CB6D9A6AC8097C919A6A3C44365A57DD18BBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.707{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-053511-00000003-ffffffff.binMD5=96983E90A09F16952053EB0CE34CBFFC,SHA256=E6A83985503B22CE58E7096BE3303B4D7D11A18096BFB84E3A54A7C40DEBC0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.692{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200311-053305-00000003-ffffffff.binMD5=5BC811F99742AAFEC54A4980F4451BA2,SHA256=E822B422891ED55F959BEE64310D7252F6CD498C9E1B79B88E99D412DCE88DA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.692{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-072041-00000003-ffffffff.binMD5=04150822C2CC8DE5E44408AD79ADB6E7,SHA256=CF6842CE4569F8ACA1A863F67A60036464785BD04F0E2C49E3E0DEF10899120A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.692{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-071812-00000003-ffffffff.binMD5=4686FC81511ECCEC898DB92BFC0517D7,SHA256=A6B8C7AE2B907157BD6C640CF3835D91B492112887E75586F82663AF28CA4DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.692{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-064856-00000003-ffffffff.binMD5=FF2831EB55D84BC7AB77001A5ED39C72,SHA256=3DCE5185A6013147BAE597529E487EFDEF94D9AAA5D44D66DB8A6ABF7B3A437F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.692{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-061312-00000003-ffffffff.binMD5=FB97A75CB0112A3EB4F29106511B6C95,SHA256=6F1178AEDD08A9A376C689B808B4D7418BB08F5B1D8CA8ED51D01B1A5C6FF29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.660{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-060944-00000003-ffffffff.binMD5=8D90ECF72A3CE9AE53B22DA855DF53AF,SHA256=5E7E0508348D25D899EC14CC6D9C6A3FF3479E5DEAB561441F84EF964710FEBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.657{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-055932-00000003-ffffffff.binMD5=3477E1560E39AA8A36ECB5A1968D9944,SHA256=FA4210E55070D2F5CA017BC026AB3BAD0AD506C5D7D4B59F7806D5FB8A5DE98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.654{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-053008-00000003-ffffffff.binMD5=A54264DE545913F30EE00C03D40F2EB0,SHA256=69FAFDE29ADAD36080054846859A808A37187293FEF4B73C6BFBBDD1F70B1D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.639{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200205-052841-00000003-ffffffff.binMD5=9A06E3D17C74656B8A9BD88A566BB7AF,SHA256=B04686024C57CBAD2546438AC283A5A873862EC50C6F125E3F3E036BAB053750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.639{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-071839-00000003-ffffffff.binMD5=4AB9705FFC4852A7D92B63F9F55B94E9,SHA256=99B2C3A8796B0EDEF6712E4F447E9234F2456C96A34B1F704667199DDA17C0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.639{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-071609-00000003-ffffffff.binMD5=9935147D38A62B2C015396036DD45BCB,SHA256=53A4728AED038774519B4903E4BF9EE319DE4C04FFD1214780E12CD511311ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.639{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-064956-00000003-ffffffff.binMD5=A76F0499DF4D83856630A255707EDC16,SHA256=D627108565E663A99A16DC3D71CDD171D46B183080BA513F7EB06ADA5D150EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.639{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-061636-00000003-ffffffff.binMD5=D545F16CE4C4AD34423106FB4A3706EB,SHA256=A09B18A2FE04155E10973FAC325E2354FA1282976EEC29C5797AC2BA84AB50AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.592{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-061403-00000003-ffffffff.binMD5=902C640E36A9ECD7B67C806760CC50C4,SHA256=A2DF3AC0582D8DE7ED2FC6895BFDA343C1463133382F159828A49F1FC1D529C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.592{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-055954-00000003-ffffffff.binMD5=12DFF3E219EE0684E14AEB3494DD9D85,SHA256=3C3F1C248E9BA0DB7E0105071ACA82DC13FA9CB9E15B9EA2538B4C64329AB4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.592{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-053227-00000003-ffffffff.binMD5=0235B3D2DD93586C496603F7D2D50783,SHA256=9CDF79DB44BFFA931999245FD45966A9E37DAECF27D256F18F7EE89FA66876D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.592{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0A23C96E83EA7AD47F904884D3AC4F,SHA256=AFFA3411928FD26686A5CF832FF206A9E692136AA688E8348ACF646FB3D7948E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200115-053116-00000003-ffffffff.binMD5=FB4C5C2532539C05BA5FD1221D9EF156,SHA256=AEF8147DFE502D9C7D77B095C504B69CB7F28C21DA45D4FA8DC6D113FF1A8CBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-183133-00000003-ffffffff.binMD5=21185AE3F32EFE315BB17CD93A0675F3,SHA256=80A6463F8D25A5E0C8B2D8B50E7D9E4E7718ED68D817F400B40751A53844C03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-180436-00000003-ffffffff.binMD5=0D6918C1E85FF76C9C3029E62540D3F2,SHA256=CA0B0857B004B7D69D30B8FA8CFB337071DF64D6A4F74A8A4A71A7B26F4974AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-180241-00000003-ffffffff.binMD5=E23F82B3B0DFEA346B1C6458176C73F3,SHA256=942A92CDFB61834554DE641BDB2BCCD7776368B7EE3DA512495DDA445472D4A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-180237-00000003-ffffffff.binMD5=ACDC0BF101BCC1A327D96BBCA38B4B16,SHA256=24DAD37A546C6B1B14DC5A5AD35D796E6166405C5B910BB8423852DAB7D61768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-180111-00000003-ffffffff.binMD5=0456970434975D56D313E15FB9D6E5AD,SHA256=2D8052F7CCF7F87FFC7A60063293D0B2712EC72A69371EC7A870EBB0F4D3C572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.576{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-172358-00000003-ffffffff.binMD5=EDD65A0F325F4FE73D2FCB500C08F92E,SHA256=AA9050197A07731D3C096E97B3DA65600B94FD4D7192C2362D07B7B03F158249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.539{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-172122-00000003-ffffffff.binMD5=8C28C38DA33EE297182A5DBFD6E956A4,SHA256=7C83BB490F089CB0422493A55035E808424AE5131078D915B39CC93405665B84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.539{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-171118-00000003-ffffffff.binMD5=B89DEF9956DAE975D7A5D46CC8867045,SHA256=26CC1F5782D9FB87C481C8E112BBCBE7E7BFB0C1E57F701E7F0E2B0AB74A7FEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.539{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-164654-00000003-ffffffff.binMD5=A025C6A0149819A48E204FA0052574DC,SHA256=9402744ECED8D56DDD693D3A83AE43B4DA68F61C7E90A851DBAEAD0F2D25825A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191214-164545-00000003-ffffffff.binMD5=17F0C385936C15E845E5131F35D3E711,SHA256=FFE5EACA4974C5C90EF2EEBC498CFCC19BD70D2CBA3E4A5FB72FD644C87B54C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-074055-00000003-ffffffff.binMD5=F8EEA0854793C64B9BE7E5029D0F655B,SHA256=7EFD58C0D273F04FAF1C89097B1B30FE760CA9D47B41010FDE9420C3251A8FB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-071043-00000003-ffffffff.binMD5=A3C5B466350366778DE0EB631347A31B,SHA256=B966E8D6F1027488D74CCD06E4F04F5636FD7776ECC9BDA3A9B8E08F83098C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-070859-00000003-ffffffff.binMD5=0F8FA21A9CD4DC9B687ABB48F48FC5FD,SHA256=2A02AC12E5105FB634C13B5410690B9E6C46CF9A326FD67D4BAB08836C8E8BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-070856-00000003-ffffffff.binMD5=BB87231024E4CBBA1F021E2B01FBDACC,SHA256=67C6574854789DBC6D5339BC3FF79BB43865424665EB11455D9B4C8D715043E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.523{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-070724-00000003-ffffffff.binMD5=06D3870A95FFE3762F6849A089871B08,SHA256=7D6CD378A68E5938B0E1F1BFFC490905EF6522A920D3703BB4D9274BD8B9232F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.508{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-061132-00000003-ffffffff.binMD5=64078BFCB554A0E43611B1885D3F736C,SHA256=9BD39E3E3D88D61ECF5C698ABC5CFFED31F5CD56705BBD17991C276C9D0A78A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.508{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-060857-00000003-ffffffff.binMD5=2DCB53EB66D5B1DFD8A2265D2DFDC641,SHA256=17B3B21ED7D919392EF119BAE1C440BA4C3FA03C8ACB8DC8199E3867D7D1D284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.476{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-055857-00000003-ffffffff.binMD5=A29C753DCE0434A93576E67BC4FA7A24,SHA256=C84764D06665267F41611D3AE82CC1BBB6E42037F5BD09857F382511C635A6BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.476{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-053543-00000003-ffffffff.binMD5=9029BD9A6AA3B2F6698D10B675E06E1C,SHA256=E5E76650DB0EF196F0E11D9AC971C731D10C3B6E2EB1D09BB108BD8BDD0E3622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.476{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-052932-00000003-ffffffff.binMD5=2DD1BD6BFB480B40C5A8ECA6CC8F6425,SHA256=0096B3C48E67D7F3B9A582AA08ACBFB15BF329E78A1C9BA00E575BB67790508D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.476{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191113-052824-00000003-ffffffff.binMD5=05E32160AFA07F0F3591B452F6D72F13,SHA256=675C3CC673438AB3B4C981CDC5F84423295C775747CEF231D5BA522540C6BDEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.476{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-073512-00000003-ffffffff.binMD5=1F5AD339CF4CE5C05D869DFE720931EF,SHA256=9C406713328E2EEC36D488BDB09FFCBFDD15D8FFE38B710F48AF1A68B7D924E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-070549-00000003-ffffffff.binMD5=7402AE3E81E554DCB9BF3C8F68BEC9DD,SHA256=4CE719D1DB7B20C2D581882FD578714A568F9B42A04F9A0ABE39CA329C647CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-070406-00000003-ffffffff.binMD5=BAF35E53A57649D0F665413090CE9DEA,SHA256=93CF96B7C42F44E0BFFCF339938ABBBD2A0D4F3E00C1F79EE1B3B8CF5DD73A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.461{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-070403-00000003-ffffffff.binMD5=42EC2144BC42E3FCCE0963427637BBA0,SHA256=2D7F9A12E840D1B88557270CF680787FE79F28B4CF89A5724CEC306FFE552751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.439{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-070226-00000003-ffffffff.binMD5=15BA11A04BCEFF88A13E3E1800B5A9E8,SHA256=FA15542D7C7596B82319AC52260EE714843393DF1C7D4434FC947A14D32BED20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.423{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-060455-00000003-ffffffff.binMD5=3A5C88840356D615D44D419D0CFCD249,SHA256=E96D6A5194A410A8545D7BD8EC8BE17EFF4FC7A0863EE674B1C2D1329629D349,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.423{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-060224-00000003-ffffffff.binMD5=D27678BAF2042D393B31354234D08E9F,SHA256=C34C44F60A27501285CF4E02E0DED5C1F4A56469F9EBC143BFFE5AEF08A95908,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.423{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-055213-00000003-ffffffff.binMD5=89CF66EC3709C73EFBBE70516A0C9A73,SHA256=D5E064BB5F1F1AF7F9AB5E07A6DB560B0E642707EC7490F97835ECD17F4635A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.423{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-052742-00000003-ffffffff.binMD5=0E3AF00730BDC5D161CC97837BC2806E,SHA256=0521AD05D8ECD1611388B8674E375B774D4B1478C709EDB86884F4D3DDFFA745,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.392{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20191009-052626-00000003-ffffffff.binMD5=A3B35DCD9D8565B1E1CD798CC82E2D8D,SHA256=46C4439726EFB2379F5C5353BBF4EF252568D02F18DF2ACB69B146B586D54001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-100223-00000003-ffffffff.binMD5=1DF3D6A4435CBF77C1B2A74B063D0124,SHA256=1318A6056C8E85153AE41B5990A2A12CA3E8A90EE2557240285028E059D90E98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-090755-00000003-ffffffff.binMD5=39C1A0C3D38A1C6C1E9F6F1E443A5C14,SHA256=465A428133575D07F7B8740A90FCB152218B7D040634CF997517C079E93B410B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-083828-00000003-ffffffff.binMD5=80E7A69B36F211C240E35299C2C87794,SHA256=3887628B942CB6BF87DC6C5E47466715C18BFC60C6AD0D92B9CEFE275C33DFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-083559-00000003-ffffffff.binMD5=564BA5213C5A9E4AEAD28468CD6520B5,SHA256=EA8467E37607BD54FB001EF47DEDCE363BA3B82A62EBB86D5A6F5D8D4C4BD8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-082554-00000003-ffffffff.binMD5=C223D63EC568163E28AF8498B9814B08,SHA256=66DFD04E0055CA3897480147F60483AE1B807821A31BEEF87376132FDFE22740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.376{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-053254-00000003-ffffffff.binMD5=F537DE794743889451A60ADD45F9872E,SHA256=53F1195CBC911CA058D0E191A6FCF1B80A7E43D01A4C56D4743453CD779D8D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.339{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190911-053152-00000003-ffffffff.binMD5=1045C55626938A602BF448C043B53CF0,SHA256=8168E9221A61F82682D2606B8EE102FE79821D855E951455D2085A556C2B9FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.339{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-081209-00000003-ffffffff.binMD5=7230B4FF84237BF96269C96E78DC28DC,SHA256=004AC6C8BB593148B329E6F90A048376B3C9775979D53C75FECCA75F2B8407D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.339{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-065202-00000003-ffffffff.binMD5=C880432A4A1A61AE8CBB493D18AC9AC3,SHA256=212874C7AC0C8F5E271AB4A3137F6CF13531A75DE4ADB8DD529DE175C0B64382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.323{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-060330-00000003-ffffffff.binMD5=AA4FEDE2BDF8EEF457A6D78C3EF0F40E,SHA256=B6E549BCDBEBD64200EF1566B82D1EB5BF3048A9D1E89E2B93C297AD6796496E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-060112-00000003-ffffffff.binMD5=CBCC9A43F3281259333070D70E1B5E89,SHA256=DABBD49F194A478E60386F7CFA4B7F98C6FAEE4780989E648244AC4006F058C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.292{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-055150-00000003-ffffffff.binMD5=B4F588CB7D2227CBE797E64CFCE292CA,SHA256=76E8F38B2218E00597FA5695FB3375D8201CBDE114C525ADF58CF4EC8AF7047C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-053246-00000003-ffffffff.binMD5=377BD87F135BA927A835A512787E3F1F,SHA256=D6CEA42557A05306136A0BF5B6EDA838A23CD4C41FBDC5866BDC63F8AAFE3447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-052848-00000003-ffffffff.binMD5=A35F7ADF97C1B703B9434ECA6579EDA3,SHA256=492E92CC60820568FE386F17A88CC34D56B60D834C05BA05483E6EC3672B4AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.261{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190906-052800-00000003-ffffffff.binMD5=9F398C8CA433ACAECAF251F13F21053E,SHA256=C1570B6E892E00BEA33D7EE4803BB9EA4F741F20211F3248F2E2ACF1C4E87643,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.259{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-072731-00000003-ffffffff.binMD5=59314BB0DC871FE467DD13E95BCF0205,SHA256=66AC76D9E2A5C1A594BF22996D9861A5BC32819AEF1BECFFD4BAF15CD5447C2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-072408-00000003-ffffffff.binMD5=DA3EF8B007B8A0B2BDB638EEEFEF9D6F,SHA256=ED4DFA4643A813E508358871D29854026D7D983E473A4E636595E6A242B52884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-065846-00000003-ffffffff.binMD5=CBC574D15E3FE85A6B72B5A0C1A0D55F,SHA256=85727FA013806D83FA374E93AD7135B67B7286991C02C95E730AA20E1AC5F2A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-065651-00000003-ffffffff.binMD5=2E8C456247CE247B5308BCACC18CEF41,SHA256=CBBC2CBC8474B8CB905615CA6D8A2AE0AB6219461522F14A932CA58FE2025502,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-065647-00000003-ffffffff.binMD5=F5C8E103F45C80486B2F0C4CF8790CD7,SHA256=BE09090893194858549F1427B3B2949B9AB0C651E004D024BF0D627D3F634646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-065527-00000003-ffffffff.binMD5=86CE1E16904831563D4D652A505EFBA1,SHA256=C1F5FA16D188F881C3D7BA5872F4CDD92C2446D4644AC267B54A54847A60340C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.239{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-060407-00000003-ffffffff.binMD5=DA03F5564C96E7BD6C4E93FFCF2DF36C,SHA256=41B270AD899AAF5DAC2AAC4B9B438489608AF6C9133506481E8744F8E1D1305A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-060139-00000003-ffffffff.binMD5=719D0A190C3625333CB0B9F73A855ED6,SHA256=B6C3236B47FAF352AF3A7CC992CC5E590E8A00BE654713F94474894BF695CEA1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000061977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.149{67EB100B-6B63-61E9-F603-000000002202}23527068C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000061976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.139{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C69A4BDD2195B62266FCE6296E971D55,SHA256=02EC130FBBC13CA94F4A410383033549976CB236F063E66784363D456F0682D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.136{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17BBF4EF4013766B18A81EFC93E6BE5D,SHA256=7C55747F2896F106B70C1DC6C7339CAD2720F59D23F69C772FCC751741479365,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.133{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-055144-00000003-ffffffff.binMD5=D1B0F1ACFF5D1C14BFA7116B8E070E48,SHA256=EF2D40AA643BCE3521466B8945C9529D2FE6B24C6B91B446E71D4C7307B1001F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000061973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.104{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20190612-052851-00000003-ffffffff.binMD5=EC571EC036C07EDF8C78C554FD88EF0E,SHA256=EC75656CC06AF3590EDFDF3CF6BBB9772D4F15A97B47DAAF06C25880F90DA653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035518Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:13.968{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E037948E97AB36D000DC0E9A863DCAD8,SHA256=14370DDD58A69A5DCDDE540C5A22E6D3E828929ACAD29235D0A0623EC843A3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.979{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-071552-00000003-ffffffff.binMD5=8A532C7530D8CBCD98C92B66E719ABE8,SHA256=35289C6A6FC6F867AAC64BDCEC6657A510FD9328BEA09E7752826FA8A82CC8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-071330-00000003-ffffffff.binMD5=69CAD266C1063FD99E4AD70B3852F199,SHA256=BDC86F9AC1C7B070934A432AE56A92D4ACC79704128DC6EB7D3962ADAFCFF385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-064254-00000003-ffffffff.binMD5=93C172E5775FA93C3D912E1603F69C1A,SHA256=71478C6E120AC415BA04011D542C767EC884F1424188F0E2A6F84464FE9FD0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-062638-00000003-ffffffff.binMD5=DF9AF6D0DDEC51ACD4013D18E58A7A9B,SHA256=08438A0A8B768D1E0D7FB6B568C3EBCBEC34FB86FE1D8448D413ADBF7F74989A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-062634-00000003-ffffffff.binMD5=A6D380E4EA612B29A063777950ADE9C3,SHA256=8E3F8EE5228EDF30FC22BEE1D79538AD2805962D84A0981B877C811ECBB6F381,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.963{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-060549-00000003-ffffffff.binMD5=AF90CBF33F9D16DEC0164040ED712677,SHA256=0DC3C0EE859118F5F8ABE96AE7D36EF59D9857606053D25664F516D2911E4807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.926{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-060218-00000003-ffffffff.binMD5=304F50475D888930354C278B57C65FD9,SHA256=61813B1354EE9CBAA51855FDB2543148827BE42EAC2532DC2EE49F7573749919,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.926{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-055153-00000003-ffffffff.binMD5=DE564A0BB551C85D86F4AE28417BF908,SHA256=F73EE57168474BBD8E564117A3F7CAA57F2FD5B5FB83EDE9512FA43B125D4E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.926{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-052547-00000003-ffffffff.binMD5=981E1AE2703D4F51E3797FD77805858E,SHA256=73EA9B86C89384C3605AA5CCA9B20737E240FCDD65203D0610AA1FAD8A9BC38E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.926{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-052154-00000003-ffffffff.binMD5=436DF1B6A781DC52AD0CAB4C5AC6F682,SHA256=DA885E308721A6A4B445338A6E608B31FA0A09B2A0220B07154239EF3675FF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.926{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201209-052030-00000003-ffffffff.binMD5=98AB82D4175AAAEF358DEE5986C643AF,SHA256=C5C0FCE235A8208FF89E2DBEF33E59A304979F41189B14C83DC26C5CEA93CB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.910{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-053800-00000003-ffffffff.binMD5=FD0ED24E38158B67DCF5ADB4EA08EC90,SHA256=4319A4C594D366C4F8E44F96CCEA8E128E45988C7B6CAF0E298034CDBD6E170C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.910{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-053551-00000003-ffffffff.binMD5=ACCC7F04BBB8066AA6634AF077FC9E7D,SHA256=5E0E6E1EE293EC8645CEFDE238DDA26F1665A4955F1551B1B76109D2F2B5B580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.910{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-050239-00000003-ffffffff.binMD5=444073185DF3CF7B6556FF6B7ABB4B55,SHA256=D2E20C11DA3D27592765AEE6A225F244C262FDCDAABE429E6CD7060B515F17C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-044454-00000003-ffffffff.binMD5=B709E92DE0C2E82FA3A8A698A12DE3EC,SHA256=C23D606AD8EE3E58F723495BFAA19E5D5518FB5F627DFF7B651A921141FABFE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-044451-00000003-ffffffff.binMD5=06DA7D48EE5329352DB3FC55CAEBB290,SHA256=6654B66A652F8DE638842137A195AF44BA0F8736BC850C421BD09FE39FF28FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-042433-00000003-ffffffff.binMD5=03ACD6B8CD56B2711958C11FF8BBBBFF,SHA256=10C6CB3611F52FCB785C0724B6880E006D48CC6D2BFB98FDFA8610797032C140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-042113-00000003-ffffffff.binMD5=B71B389B003D3868282EA57F2A5550B7,SHA256=24BA6D2E28D1870B2B26EC980AC7A6AA0D9AD78E3D557203C9E569FACF2F79F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.841{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-041100-00000003-ffffffff.binMD5=5ED3991F4197CC171E15E3926601505B,SHA256=143C179C836BF4C060ADCE98834B0B60213BEF6F55C54AD6B24BFF65B78A91AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.841{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-034505-00000003-ffffffff.binMD5=EC68BD22D85CA4170C297C6A3213516A,SHA256=4F0960AEF8AAD3E96D86C75BE559C211DC60D244414D5A2D971232B9151AF03A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.841{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-033939-00000003-ffffffff.binMD5=3A61A3FBA7285B74875C5170F073ABF1,SHA256=4428E8A185C1FAF5F1F5F0CEC527C4D08BDE9E05ED1CB07F1A97108AC2E22583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.826{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201111-033830-00000003-ffffffff.binMD5=8639719E629ACDCCB4A0C50CE095025A,SHA256=E06DF4103EB28E57652C31BB8431AE38353BAFADD4874707244483DB3E93A064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.826{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-043515-00000003-ffffffff.binMD5=7191C4C914F9E19A9920B1B6C87EF472,SHA256=62B86C02B8D505AB0620D8B42B0F802A003E08AF4095D8089AF3056C57CF3E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.795{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-043259-00000003-ffffffff.binMD5=1D059CBBFFCFAD16369E72D6E7CD8784,SHA256=38F45A14727184847C0B430980829E9025A05FDF97A1852DCA235024D332B29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.795{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-040315-00000003-ffffffff.binMD5=5E92F6B6E16FEDF40A4024AA901801D7,SHA256=22C16687B95DB769AD04A11431C607FA0D8BB486058833EDCDD289FE244B74A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-034712-00000003-ffffffff.binMD5=DC126A964504E64E70D0069B8F595D03,SHA256=25926A8FBA9353A93E2CAD4B96DDE5DFC9C18134D484CEB5358D27842936E649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-034708-00000003-ffffffff.binMD5=00C152132E0FB444D8D4170F0109525B,SHA256=49F46476B0ACE69FEDC15F00A685F79AED0D473930AA1531AC53A6E815289EC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.779{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-032750-00000003-ffffffff.binMD5=039B45723B8A9703E7603BB36F7CAA78,SHA256=8004939B2B58C072B70F7AEB5BBD987FDF106BD1AC97C568A907BBAB4DC1ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.761{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-032430-00000003-ffffffff.binMD5=276CDC9804CDE76C6C89A8938366F13F,SHA256=76B80E9B8DDF9A74C333F6012B81C89F9B5420F7874EF67B978E9A7C62FED618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.757{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-031417-00000003-ffffffff.binMD5=113D8983ADC80E81BB70662B442A0882,SHA256=B411AD66226DCC506CE76C0FD4E89151D7BD929C4462F2399B24FE4D395A3D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.741{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-024905-00000003-ffffffff.binMD5=F8A99526ABB808EFFFFF2C782F7BBADA,SHA256=54D429FE27F3ACA6D0107DD6D124CC9A1F38A0B332BB9714053D96D39C8E05D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-024504-00000003-ffffffff.binMD5=35587064571648637B936BE5129219F2,SHA256=416955BA4B469D0700B8A0CD7F45E801D1619CD08D51B159F937C2A85D3F4FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20201014-024353-00000003-ffffffff.binMD5=80BA8A3A5026E6CCA2BABE9DAAB9448C,SHA256=C435C667BD6264A4601E6D1D12C158671EFB46D0A823D57051A6DF13C8E51BE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.679{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-052606-00000003-ffffffff.binMD5=A64D7F8127DC50927238A3062341369B,SHA256=FEE367FCC8D8291F6231B0A542F93BF4C11FD539CD8DC58247DAD5EF255F3FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.656{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-052352-00000003-ffffffff.binMD5=D3102226B44D5929FFD11A1484EA0171,SHA256=BF9C6088E275C9F9EEA98963E42C669FD9D82146D56DB5250BE27E9EFA81D783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.641{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-045225-00000003-ffffffff.binMD5=F1F31E1CBC2C72D97167AD35F4433150,SHA256=CD93A1CD8BE52902B66F0BFCF5A5EBFF26388D29A5F9F055AA54D805F24B8193,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.609{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-043408-00000003-ffffffff.binMD5=C25C44948588F2331895770DFC9923BA,SHA256=C52A880696CC364406FE092AB1AAC2F18585AA7E7719229213C765DFA80B020B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.609{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-043405-00000003-ffffffff.binMD5=ECA280A0465A0B29CA78294383E8F5A7,SHA256=88B3FD26AD24EE7776595ED0DE6272151542DDBC57D9127F79E84159DFCC05EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.609{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-041926-00000003-ffffffff.binMD5=81C9DD40DCAD175BC94F17066E9F8621,SHA256=3638093B0392686D3473AB0E306633938DC7A6AC1B975DA2214B209D5710B476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.609{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-041606-00000003-ffffffff.binMD5=BA00011D0BFBE8FC3D37F8181E73986D,SHA256=4EA822EF954D6A7F13A75F263783B301C0873E5490687C03E8A5F310532AD16B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.609{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-040557-00000003-ffffffff.binMD5=1832399ECCEB4D77EC433D6DB664B546,SHA256=94A3E1BB34B62587E71803E503D85ED6D26053DC3143DA57B127E85EF2CA8154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.578{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-033859-00000003-ffffffff.binMD5=B0F8E64A0FCEB284CE1336DFA3C3A854,SHA256=6F10D08E5FCDF024393616FFED0B961514DC37CB527643F50E2808D3D67E8F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.562{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-033453-00000003-ffffffff.binMD5=4AD54EA7BD4D25B9B12173F9E482B386,SHA256=A407E90DD9BB35489BB3CB9ABC8D1C027E59A732FDCECE217B99BD2BF20F638A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.562{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200909-033343-00000003-ffffffff.binMD5=3B533010D4DCF8554E2C6B02C7126307,SHA256=36E5C102AB908D124392AD6986C36E0F0282712119E14CB3961C027B8A15771B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.462{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-043508-00000003-ffffffff.binMD5=457607B66D9455D0312EFF1D6F9B909A,SHA256=FCBECEBD6EBE80622E81ED3068A7AFEAB06E65F91336EF2DCDA9DCF6EFD72CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.462{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-043306-00000003-ffffffff.binMD5=26F73BE4BEE7B9E6D7D0CE587C0239B3,SHA256=A97869C7222AD99D8C31217C83BFBB15DF6E6458742018845F90982B7A85FDD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.459{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-040028-00000003-ffffffff.binMD5=3F4B878D599DD984187742284BC768A3,SHA256=D7B44B71A9A8D8C7CFDEA2589B58CF266A3B21809F0C5EC52A40627120DE3D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.458{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B5952EBCE98DB023DEB8B58A5AC397,SHA256=8D9C0D7F8967FA27A286934F21BFFBBACA45D6E2A96AD6435412FD8B8161AAA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.409{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-034327-00000003-ffffffff.binMD5=2ABB79B3330050E4B03DF31932398225,SHA256=B9C92D4A2344FA742F4E8E079548E42B75AF00F80E90EF9F69C00F858A86B45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.409{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-034323-00000003-ffffffff.binMD5=C4CC921F0E353EC27871B60D72E94439,SHA256=6B6B6E0E4EFFFDC6D2A700F1779C507A4BAE87CA25F18E6130CE26281A0AF5A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.409{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-032126-00000003-ffffffff.binMD5=24A91E45916ED995A7B7E5B9F77B6FE3,SHA256=58E855E50B83794B9B0A8508F0BF3BE0F70EEF995F9327EE756019E653EA570B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.409{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-031749-00000003-ffffffff.binMD5=EA675626EE6513AC218244217BAB07A4,SHA256=2F3149E250AD59B3F78296977AA5960A789D37B50711604DC18E9A081729C4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.409{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-030723-00000003-ffffffff.binMD5=0CBBA03D16DCE5843AD8FB009347CEF9,SHA256=58942A6249D9CB4EA0B3FF7E7A44F9B184B87188E12F3366FC10E7B7A500662B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-023720-00000003-ffffffff.binMD5=2E27991CAB3B8B4572D67463B463B0F8,SHA256=798D39EC2A795D2C7C6AA8A7EDB1E3E6A5883292051E7E220E37CC98D1AF835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200812-023600-00000003-ffffffff.binMD5=1BAC4522D19343042E70022017486A51,SHA256=646FE141B4E2F185C65452671318B76639D52CDD2E557FACE934C474FF6356AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-072711-00000003-ffffffff.binMD5=81875EF2160115078870CB5E8E3BF978,SHA256=4ECB9C6104DBE40D4C1EF5A8FB38DBC8D35C79F323BF68B74E2F0F5E53E2236E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-072457-00000003-ffffffff.binMD5=F2091902362CAFA32DBE5E29DD9EC0CD,SHA256=5B03834881518A8D06B7951D01B0982CB0B4353C6B80A5CA122D0F66549EE424,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-065318-00000003-ffffffff.binMD5=44E416D3425FC92D26DDCBB30C1CFCD9,SHA256=7EB3E1E02CA9697A5FCB43E5201F3F0C65C28F4B87D3F2620F602B8B956A120C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-063651-00000003-ffffffff.binMD5=13D7F30A10B98D41D85508AFD6DA5D3D,SHA256=1CC640E79A857B3FC8FE6064BD9EF4EDF36428D5731077954898D0093526C17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-063647-00000003-ffffffff.binMD5=20D5E6CBF0945ABE9C870B9C5D47A221,SHA256=BA6641DFA227BCC8D07952A2E0426E7A0DAF8F5C2435F546C411B192DAEA1D48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.378{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-061613-00000003-ffffffff.binMD5=82AC75406446FEE998D7288CEE4E00FA,SHA256=66F4839DBF9F116FA10A3350887A427A1F1E294DCF952746E8FB545AAB0B798C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.378{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-061248-00000003-ffffffff.binMD5=92FF7B7192E9F226B5B4FECF4F331CCA,SHA256=EEB51D9389278FAC4A45EEDC63657DC91A4DE36FE2D76586ADADF3C1D9B7DF00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B65-61E9-F703-000000002202}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6B65-61E9-F703-000000002202}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B65-61E9-F703-000000002202}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.226{67EB100B-6B65-61E9-F703-000000002202}7044C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.223{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEA4B285E048AF9256D09FB9B71F31D4,SHA256=A1E33F3BC3919B940629511D27A1070D801E972B98B48DE0267F52133ED4DB04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-060235-00000003-ffffffff.binMD5=63763472783EC60814D7CA362BA607AF,SHA256=BE8F6470AEBB1DFAA5144E86B3078DAC6B72C147132A2ED5C322B91795D6F99E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.176{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-053601-00000003-ffffffff.binMD5=64D202E89E6655A5BEC98D04662F51BC,SHA256=8E841E1D292BD8DB98664C657F3B56D2416DBA375BB2BBA224FDB7DF148C33EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.138{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200715-053446-00000003-ffffffff.binMD5=FB36BE72F0A2517F36F14D5D4AB286B1,SHA256=BE7185E0208110CAD22C153B6511D0CA66C1F018B338AAA093245225E025B288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.138{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-071956-00000003-ffffffff.binMD5=ABB4D8E7D25F51DD4D328591385F549A,SHA256=1B3C9BDA00B7C46F85B73FB498D339CE74B98AD37DECE4A80BEFF99656B9879F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.107{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-071704-00000003-ffffffff.binMD5=9331CD077C1E796FBE079E0D767536A3,SHA256=475EF73C58CE841C03BC79D51D5055F93A96E3086BCCAF9C361A16B309640304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.107{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-064733-00000003-ffffffff.binMD5=D93009B091FAE34AA0628670EDBEB278,SHA256=283F7D27FC3068E98BA12EAF4C37B6E3E0EA9426E0FDA2E9D7E7C9CB85C1A83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.091{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-063110-00000003-ffffffff.binMD5=D64F057F0DC3CDDAD52E56919A8D25A3,SHA256=57A7180105D6B35C1E6C3F663D39E754D85CEA99FE10935A5BE3B12704678741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.091{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-063106-00000003-ffffffff.binMD5=FE2DB555D562B81BE3504430C69DC270,SHA256=A81E1B6B49BE817BFCC868D054EA7C43F003F1B29FFA0BA2B19798023DC07C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.091{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-061038-00000003-ffffffff.binMD5=C77836ECBC64C915DA8E8C1042F1ABEC,SHA256=861F19F83CDEDD9DCECCF9D6ABE33BDFE5549CE5936D9A61536756AE58DA0E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.091{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-060720-00000003-ffffffff.binMD5=4CFCF714635AE24C0B0DBE2677D77416,SHA256=ED9F20FD796848977A88533DFEDD4F89DB5CBC252CDADB4A4B91459C5E9254FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-055709-00000003-ffffffff.binMD5=E7DF2AA21D39AA592972B03E8D66FC82,SHA256=B6BC443FB677D0E7043BEB25FCB0AD2F2D1B434852772711439451DD8F5F6443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.076{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-053031-00000003-ffffffff.binMD5=9C6E7067B5E506DAD6BEE1ABB0DF347E,SHA256=DDB014DF3D3916C9962FD8A372A10930537F4CE86521B6F3A73F1BE9E6891E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.038{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200610-052915-00000003-ffffffff.binMD5=3D37450AA47ACAA49CC9AB93854CA9C2,SHA256=E9704B7E0F03A8994202090030ED74F1EACC21541B593EA2D38D961A91594BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.038{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-185353-00000003-ffffffff.binMD5=DDCDC719E331BE414251EA428C92D3FC,SHA256=287E97575868377A30A1F0C9E143E313013B869D38F87EA005E4241E52A9834F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.023{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-185108-00000003-ffffffff.binMD5=6BAB21B1CB9508BE5464F6B204FD3C5C,SHA256=8E85E406CBDA65A8EAFBD8933519B839F353486C337FF067EF718FDC0233CB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.023{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-182035-00000003-ffffffff.binMD5=61DB5D67D0D78B1CB9167E851B28E42F,SHA256=FEA66FD6FA8208F7300D25FD2D7275E509330736F2DC35B6C59709FD0C371576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.023{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20200513-180317-00000003-ffffffff.binMD5=F38A26F64EB8CD4A3463F91D2924795C,SHA256=DCBFB63FE556BAB328F24F4BAE79B08D8245012E1A3793DFD940C2788708690C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.997{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-011026-00000003-ffffffff.binMD5=6F8BE2A08513DA06C160200FAE2F1066,SHA256=D113158C186ED695710D58B89942F7BF00F8445060F87C0977887E2A874D898E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.947{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-005953-00000003-ffffffff.binMD5=B96526C187AD0110944835CF639B51A7,SHA256=36DE9ABB3C33F79967A7C542E7C1E4953E072E3FD32AAF57CEC98B5244E85920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.947{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-003236-00000003-ffffffff.binMD5=B1171E60B0BB9091B0CBA0DD9382C4EB,SHA256=FC3146172F4FA8BE8A15650415760E342E44F01E419FA72BAFE7DB28E30BE7FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.947{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-002926-00000003-ffffffff.binMD5=47C6E9FA1B1E22251126419D948DCFC8,SHA256=059ECA59DF526131AC97DC943BC377B6D3E081F8D67703C0D57780C5290D8543,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:12.827{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000062247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.900{67EB100B-6B66-61E9-F903-000000002202}63206996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.899{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-002725-00000003-ffffffff.binMD5=56D47EA778E2B9389755EB12DA104061,SHA256=B651EAEBFE9A476C077AF038077E12B3F1646EF83C915DD3A10B39981DAD041C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.894{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-053655-00000003-ffffffff.binMD5=01ABE765230B60F9F62BECB72C5CDEDE,SHA256=D12FFE3EA7AD86C41F8A2EC93DF6C3F92B216BD15B1000C86B572FC1E5939C5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.885{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-053427-00000003-ffffffff.binMD5=68C20F54E9A333DD2236F681204F2CAE,SHA256=3A24C4EA5EC011E0E92B25DDEAB977D4C4259BAFC49D759EB9CB2BA5692FD215,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.879{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-053243-00000003-ffffffff.binMD5=7C382CBFCDA48124ECD918451E3CA1E1,SHA256=2281D774F905E508F64BAB7BEA131526C96F0CD12DB84D05A375E733E784FFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.873{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-053239-00000003-ffffffff.binMD5=567B162D0F0FD753F1A8C74F81FF49D0,SHA256=557C3970082A84647BE8C05CEFFD66C6DF687B8D6B4CA9C0B7A9E44E373A5D16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.870{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-053055-00000003-ffffffff.binMD5=75FAAEA88CBE3DD63EE72E8D0F90DBF6,SHA256=6ACC97FD0F2512CFF5D3963357453AC224C947023EBDCCDC9F802B810CE2B39B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.852{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-052827-00000003-ffffffff.binMD5=25B5B31ED150D219125E3B7854F3F30C,SHA256=446E47E1FEE614F77AC5E95CE7EF2530824C6F1FD4B874F5CB8D03BB8CF278F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.820{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-045403-00000003-ffffffff.binMD5=794C84A794F1906DC33C03AF5FFAFCE0,SHA256=94631F9819DA2B300E348F2B8D4C33A8CAFAD7B017D32A187E403CCF7D35CCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.813{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-041504-00000003-ffffffff.binMD5=630E01B5B3E865E63352F5C6DB70F121,SHA256=F78B832F28D4BC707B8B8391F4E9D123E1C5AE5A7DA5ABED1726489B225F288E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.786{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-041122-00000003-ffffffff.binMD5=AAE17256CAC299AD45E650ACD34CB0D8,SHA256=84C363A4A9F97CE1C7E4AB94CEBF2593F75EE129AEDDA8F8048A62C9D7DE53BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.780{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-040048-00000003-ffffffff.binMD5=D8FF9ED15157DA497B30FE4C379795D2,SHA256=CE3588C390205E588ED1474D46E3AFDE4EC8D3BDF51310C1F9E681E1F6DF32BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.775{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-033445-00000003-ffffffff.binMD5=89BC90B0913FBCE383E70E696713992E,SHA256=D91B659ED0181366754D51B18F26C1B369DBB190C08E25EAB65F4DD9E1030E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.760{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-033106-00000003-ffffffff.binMD5=8F68A773F21C1455D28EA1556FD3C913,SHA256=7836B80389704FFC3ADB6DF535D7544DEB7DF543CB0F1B59DB11352E2A29955B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.741{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210609-032955-00000003-ffffffff.binMD5=40F8C52D174720A525E30F7915ECF57D,SHA256=C4CAE6AE0BDDB3FEB8E6013698ABA6940B9FE89A4E4CAFCB61F3D13DEA15A9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.710{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-053202-00000003-ffffffff.binMD5=A69598AC1F38F5FF66247D331A36700D,SHA256=12344B545CC9516BB862EF8043FF30AD84D3A6C96FF9154A6C4003867742EFEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.710{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-052940-00000003-ffffffff.binMD5=4EB733E0C9F37B9EBA73E07A5672C62B,SHA256=1544BC85341AC6AF10137C1FBA3C90E39DC9CFC7D0A95559DC648B2CC4C25A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.710{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-052702-00000003-ffffffff.binMD5=CF6F65A6FE1A50A405145B2491B4980E,SHA256=F79E89348D2BBC9136E30B3D29C185299785A0057F991B141A49F31E4A7C15D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.694{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-045210-00000003-ffffffff.binMD5=7A637083357E6808CA44DEE4A07268E9,SHA256=C375D321C449903D3A12E2C8EB00BA867D4E5150A8FECD0D559F0EA99D3CDB47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.663{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-041233-00000003-ffffffff.binMD5=3513D4829AB77371068AEF770F459134,SHA256=29F300681E9C327534525AC04FF3DB8E93D43C89E6F3E071CA07242844868819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.627{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-040846-00000003-ffffffff.binMD5=9E01CAAC8EFB3ADE387CEB6BBE38B733,SHA256=F5572F5C3112D953D8E4F637AB6373DDC63D1605CCF3CA793574D981D98E8237,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.627{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-035809-00000003-ffffffff.binMD5=3AE8ECD8DDB5A0243F27336376C82F83,SHA256=737E8504C1190A98199BA9BCB39064363FBA842DD20EBF5FC7B2504E04F16EE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B66-61E9-F903-000000002202}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6B66-61E9-F903-000000002202}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.610{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B66-61E9-F903-000000002202}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.611{67EB100B-6B66-61E9-F903-000000002202}6320C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.594{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E8BF4A54592EC6F98A0359402D4A231,SHA256=B23E8C39FF09B716185E835FDC8BCFB5A1F4CA4149D54B5E8E2AB0786A91510C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.594{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34B2B7C4E5B1943F3E91411EAC0FBB86,SHA256=733335374518AA86AC1E591028A5CEF4418EC809FD0CD3CB92C7B79F31FF62B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.594{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C69A4BDD2195B62266FCE6296E971D55,SHA256=02EC130FBBC13CA94F4A410383033549976CB236F063E66784363D456F0682D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-033152-00000003-ffffffff.binMD5=528B51E7DBF4C77EB225D837E2F3923C,SHA256=F6B0BA79F9C33DEB9CB077391D43CF10CD07FF2536CB14F07E1EB09217A6850C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.579{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-032856-00000003-ffffffff.binMD5=6EFA2B1A2928593EB1A8ACC6A3135AEE,SHA256=A08EC28CD096704EA151858A5E423BAA5DD641E6C2A5C1C3FB3AFD371DABD5A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.541{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210512-032738-00000003-ffffffff.binMD5=CBAE6319AF2A5F4C284F912611047B44,SHA256=D5B49A599CDC27C4083E9347168CFC510C7116713385DB95CFE1000EFD918CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.541{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-050712-00000003-ffffffff.binMD5=451B0E9101B7697F39A71DF9EECD9CEB,SHA256=7CB8F5212E42F297D27D19A21F5A751630F5707625BE44CB527FBC9D1B84783A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.526{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-050443-00000003-ffffffff.binMD5=0AF3A1E979A83BA45CC5973B37136A3B,SHA256=B2F38D32E71982C6AEE6D078A1FA056F66A569DE1248B37735B7C01F13F81BD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-050259-00000003-ffffffff.binMD5=30B9C17DEAD89473C403ED8389E99D59,SHA256=9A9E23B3EEAFE4399E7FD0DB87E2CF6736BC3F4A653B2E159D690B3C1B014B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-050255-00000003-ffffffff.binMD5=057C08A1074DBEE5C026210643B197A7,SHA256=C2B97BF838B596FCA23648004728B916EE586BF087954F71ABF0AB13F0E10F21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-050111-00000003-ffffffff.binMD5=B342A592C0ECC8B2B58DA458332EEC09,SHA256=2F6FD0A8E852CBDFBAECC6F33288843AA62FDF77308971D7F0BF3D0275B8B2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-045842-00000003-ffffffff.binMD5=F7C300AA1F1354DDDE313E9C9D80F0F4,SHA256=F06E8C8F8899CB4F54F56455A40902567A1EA815A9B00C7ABE39BC9784EFC768,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.494{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-042340-00000003-ffffffff.binMD5=4AA1F5A70C20F8F04F9DB6597B6EDFD8,SHA256=A58D941DDA51B99AB9D6F7A6524CC30E976F609C40AABB3184624C910B65958A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.457{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-034319-00000003-ffffffff.binMD5=B534EA8E9EA69599EEF9BC64A72799B9,SHA256=DC41ACBC4BED9F94B5D8CC8108A8B2DF2E154E4CA1E23E3F4191930FD118046F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-033944-00000003-ffffffff.binMD5=972EC079C2791D345D3410D0C855BCE1,SHA256=8CAFB5692F937A561F47F642A07E210F26CE83B3DA2B332759CA522B5881CF48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-032919-00000003-ffffffff.binMD5=BDFA5FE349935DF800947E441EAB2DE7,SHA256=77A458826377E3189853A81C2E866FDF63A46663C03A10FDFFA29B49D16DDD77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.394{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-030300-00000003-ffffffff.binMD5=30A8D7319CB986257591C113031DD4B8,SHA256=3BD05568FDFBE1DA0AD9D8698CE82FA7E423ECD8B2EDD084DDF13F93F67F08CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.360{67EB100B-6B66-61E9-F803-000000002202}21201812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.341{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-025900-00000003-ffffffff.binMD5=8F365BB41371947C12BB4CD2C3799C0B,SHA256=164B215878BBDBAA80356BDD07496A337F2565E3B4532E40DF8E90B286F61482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.310{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-025516-00000003-ffffffff.binMD5=C0FD2E101E6CEBAE8B32CE40E32BB2C2,SHA256=E3249391F01E66986889740A79A37E6DA322BF53EE49A45DB0960292C86866CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210414-025347-00000003-ffffffff.binMD5=D296F6DED2D287CCAB1054D45E221815,SHA256=AB015183AC13F8F2654A7E29B63ACF99E0CF893DF8E66C3BD898FB58D43D8526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.295{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-201821-00000003-ffffffff.binMD5=BD67C5E34F8E778CB75F234DC9A7ABD9,SHA256=419C427F13E32A1D08B53C978E87B7F457BF5FFABE7DE3E5A3D42D6DECDC8E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.226{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-201632-00000003-ffffffff.binMD5=228B6458B7196C68760A78FF8F76913D,SHA256=5C70E358E85888B62CEC1E33A26827C18CEC7766426AD142804570DC4FA33B5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.210{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-193846-00000003-ffffffff.binMD5=DAFF6C9262B765A57DED596E6911105D,SHA256=03EBFB3115A189BF17BA46D320AD75369B81BCFA236A300D3E2B467D0C5C1659,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.210{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=FE4B9B975894C43C8DBDEF3B7D4CADAC,SHA256=684B648066AA34378D399093D39AB93D6C4D07B5F7FE2613DE02DDAB18C17BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-193641-00000003-ffffffff.binMD5=6EB2F6E51D98C0EDEB7DE13C91D2697A,SHA256=BB0E05A28CFDD2DE82614CBE433C188B2D3FCC7FD1BBD3D0B578E334850A032C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-193637-00000003-ffffffff.binMD5=4564C5750A64BDF69271EFFBB863B4B4,SHA256=600ECDB67FD812004DF33792F5538F508664C10E0B7DA058E3ACD4BCCDE09580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-193421-00000003-ffffffff.binMD5=8D4521450373CBDA1953C3D83CC1BF4B,SHA256=51B9CD54ABBAFA8032F8827D57425E45C8C51DDCA41F3B32843F72A12D387A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-184855-00000003-ffffffff.binMD5=1F6882792E6D179E925916FBC7415B76,SHA256=75124A41EF810E9A376518F62AD49974E4CDF1A9960F9170C116082C233E6143,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-184213-00000003-ffffffff.binMD5=7E520BF286B2BD283B0FC609686893CC,SHA256=F877350F650D46AD13656CC7A8B10813DD465A03CE17A2A1F49EF07CD6F6DA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.163{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-183819-00000003-ffffffff.binMD5=86F456F22074D96276A655C5F898FB0B,SHA256=0773E57454F41DA859B6DC9773DEB7445AD714955D3A68FFA2E3A184F0DB9B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.161{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-182735-00000003-ffffffff.binMD5=CC73E216879EDEAF4CAD4BCD4E8EF0EA,SHA256=B69895DA3C32ECE8C4AE2B8BDDE70D95D95D09A22395EA6BD2255DCBFA852EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.159{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-175931-00000003-ffffffff.binMD5=99A03B7126BB60802D538BE0F14058C2,SHA256=8E95B0E7DC0835AE4F7E06FFCB80E53F5A8A1C85D17F2D3F5FDB97240A2EFE67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.142{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-175411-00000003-ffffffff.binMD5=BEECB6346323DA6325F37C541CAC5046,SHA256=EA9C6DC2706E8ABB5036DDED786C76985ADD5540E23017FD193274DCB97D6324,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.142{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210310-175236-00000003-ffffffff.binMD5=5B5D57F739A55A16911E2F9A1731AEA6,SHA256=C6ED526B382107EC74A99F6635F0C144AC76E8B31F2ABA3A56FA1D64BF835824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.142{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-222157-00000003-ffffffff.binMD5=288E58BF6DCEE0FA062A0001D6752F56,SHA256=0F5500CA96BDF00E9DB2445D04B7FF4765F63F2702B23D84B9CBEE52A1401D66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.142{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-221940-00000003-ffffffff.binMD5=7246823433B8007B39AD7BC7A0E22C0A,SHA256=5D4833B6C49F0895DA72A61772C38A4002C92D33CBD525AB17EAF4746A977213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.142{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-214306-00000003-ffffffff.binMD5=0237819F7E49FDCF979886921C71BD4B,SHA256=18FC8E938F12273CDE307F733907154C9B6D695E831932FB542F4D33592B7882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B66-61E9-F803-000000002202}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6B66-61E9-F803-000000002202}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.110{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B66-61E9-F803-000000002202}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.111{67EB100B-6B66-61E9-F803-000000002202}2120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.095{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-205948-00000003-ffffffff.binMD5=EDD9CC54FB32E9633DB27B3D2EBF25A9,SHA256=71363B07BC16A28B57D730B6BA39C2E130C24518F75BA2AC23400215AA38E67F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.010{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-205621-00000003-ffffffff.binMD5=99946089FE843AC2E7D5AD1800ECC3EE,SHA256=04675F18B97C2D5800907C633D4D4BF8D38F7211F827835A6E37843585DACD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.010{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-204558-00000003-ffffffff.binMD5=0FD47F88B872D31732BA1E14F9753C27,SHA256=621D1FF460EB6F8ACA88DD8447622C59111314EEEC679ABB0D06D20D4486B0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.010{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-202011-00000003-ffffffff.binMD5=5E202227CAC71F2F5D28B6085196376F,SHA256=0BA0C1F8F48B59046019BF633D71EDF3745F536A56D42C118E42FEDD8D0B3204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.010{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-201449-00000003-ffffffff.binMD5=B29FA0A0E01DA0E25EC630A2B72664DC,SHA256=D59E6A6A8D6FE32F613A32444DC61A3E4BD0016CCD87AC059955357BE4681951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:13.994{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210113-201324-00000003-ffffffff.binMD5=FEFD2EA418BF3F84D50A09EF877A9923,SHA256=A571B6C59C53399A63B0A5925DFFCFF7C07CE90B1D13074F1F60A80DB3B5F0C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.393{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62432-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000062304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:14.393{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62432-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 23542300x800000000000000062303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.799{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-034843-00000003-ffffffff.binMD5=1EAA9EA94FF5C666C9250BD1ACD4A422,SHA256=22387825E1F137EDC5DE8AB503C270EBA086A8B94EE1AF09F609404DF1866A5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.782{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-033813-00000003-ffffffff.binMD5=8A864317DA14CD39D8FC59B6B221AA58,SHA256=95D691057109BBC9F01E848BD762425DB7C119D6D6595D5AF15889B6BE240B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.767{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22267831C46CD1AF6DBE27C0687C63E4,SHA256=E0B06FA0AD03F612C1EC861AEB9EFB2F80BF2CD5EEA4FEF715F435F4C6B0B76E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.767{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10BA9638F63FE8B0AF9AD3DA562E4ED5,SHA256=D6F3FDD4DC0752C88977E9384D012487504C51B246D75C4F4C5E335FA0D90581,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.767{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17055274D376199901F53282983EBF7A,SHA256=56154671CD3EB5CE7C25D0410DB93DBD9819F6D37E10DE6B29C5D7E70839263C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.751{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-031006-00000003-ffffffff.binMD5=D8FB84ED46353BA04287FF94A6A783BC,SHA256=455038EE9E6272B44EFD51DE6BA530089CF72C02C437E4E39B2E78880D017444,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-030435-00000003-ffffffff.binMD5=4EB19C670FBE751288C706C4A6782714,SHA256=F75C28947DD5F2AA3177FDD18C7E28ADF914A10AB0FCBA866C2EC1D04B3127B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-030314-00000003-ffffffff.binMD5=DBFED1816E50369ED6FB7221C4D0CE6C,SHA256=4634D971C06E7D611EFE35561D9B2702C2BABC08383044CD94CC24FDAF096FA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-054236-00000003-ffffffff.binMD5=69D58741DE98E0D0A6741FC62CFCAB3B,SHA256=94239BA27B4E4F1B639C5E68D503AD6E840B735BD24739F0252F0D2CD4DA3374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-053953-00000003-ffffffff.binMD5=02ACB7CABEB68F80CC3C5D6767DE0075,SHA256=070B778292A0AB0FC57BEB3A991306CE06356F536729AB5E46C323D65113DCA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-053807-00000003-ffffffff.binMD5=B29825F9509DB584CCAC44520BC91758,SHA256=89E98902205DA506119A11EE4B42358A17ED9DA054D54FDCFB605FA5ABAA67D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.698{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-053803-00000003-ffffffff.binMD5=17DAB7E0350A1C5D9CFC8E32E581116F,SHA256=D12B5FCCC83DEB3419E849497B7D29863094D54A1BCC63E52E35B1DAD2F1D7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.698{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-053738-00000003-ffffffff.binMD5=4287A4EF34BA8282F6F4B9196AA0FD47,SHA256=F6903EFFA36ED05BDD0E98BC078C0D92C5EC754CFCE9F6617D270CCF57E0CF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.698{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-053444-00000003-ffffffff.binMD5=CC191C9822C1721B91289049AF04D0D8,SHA256=3899CAE0B36F4015F98BBDCAF3FAA7F93FF3F71AC5952353BC1F5D01D35AD7D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.698{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-045958-00000003-ffffffff.binMD5=EABAED9D63B6F0D852B2BCDE1A8982DD,SHA256=577A2B015B7D1C0E9780432E37A90CA888FE7458B7E622365E28BD504DAF7ED2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.682{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-041920-00000003-ffffffff.binMD5=FB964DF3BA7EAC86818FC1075778B262,SHA256=718B73D908D7610843D77B65DFDF48DE77F5C4B580CD64AE79316F73353DEB19,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.616{67EB100B-6B67-61E9-FA03-000000002202}68125660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000035519Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:14.999{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91E4D77B4345F9ACEB285EE777DF5B7,SHA256=81E462398AE3A2C8CE6AA958A8CC50008973730736A858264C5C6B51CD0F87DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.448{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-041544-00000003-ffffffff.binMD5=0C247E4A1D57F7DAD658DC1E4BEEE44E,SHA256=382DC08882D5941158E1663F2E0C56855DBF9B11AA293C7B3FD92473CF8C010E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-040508-00000003-ffffffff.binMD5=34B1615604C163A115388882F73B42ED,SHA256=8009FC48781049C41E01E9AE80C33DE3E5BAC6CCF2B149AA1B80EC21FA81AB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.432{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-033821-00000003-ffffffff.binMD5=36ABDF7799D1013E83D240935CDAB846,SHA256=7950B0900A5F373D60DE6FD9A2BF3FF73BB43DECF84237F76E59E9ADF73DCB34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.400{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-033315-00000003-ffffffff.binMD5=3B203E10329C104589D7D51D68DCECEB,SHA256=0919FFCD075A88EE5A414F9F3CE6D28443DA790048DFFAF4D532ED176870A7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.396{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210811-033149-00000003-ffffffff.binMD5=445756BADB6941128B895DF05BFD7383,SHA256=5A6F4CD4D6636742107BC1392DFE502565EF048E2820E85CCF0338FDCF6777EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.379{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-050939-00000003-ffffffff.binMD5=B58B8005F63BAF11B3ADA6C7122943F9,SHA256=CC805F9FC4E81367BA55080B890A2BC51B4B699E103521B9F899FCF9534CD414,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.379{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-050707-00000003-ffffffff.binMD5=7A0ABE639568561BB61BDF5DE0958F65,SHA256=5338F7FCA69A402D0C4938F93E5F35F07DA64F0D18CA85C6F5A662F53F79DE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.363{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-050431-00000003-ffffffff.binMD5=543B45C0EA868F182DF4DC7A06F7337C,SHA256=1B17B4F6131109964FE3480FC0CB886A4091495602AD348C999CBCFB747BB83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.363{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-042908-00000003-ffffffff.binMD5=DF4C7FEA510590318A066C7E4087C76D,SHA256=22ADF3D157369EA139459DD7F50196745D8B66EA76F2EBCCFEB32AE096E6E27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.332{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-041102-00000003-ffffffff.binMD5=E9A450FF8D40E0A569E77941C054CFFB,SHA256=D9F921D91BC029F88E01CABCCD3BC542E3561C49367760A06791F5A5B753AA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.316{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-041058-00000003-ffffffff.binMD5=9763AD994E4F32514052D2D31861D893,SHA256=B57FBD313165588B059FA2E1BC35786BFA298BB1EF85C7B70E67A71A0D2BED50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.301{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-034556-00000003-ffffffff.binMD5=345F71A0F9083B3858F55CBA28DD40D8,SHA256=AB0B3926271E5590C505043C86BBAA8A2E64867A3F877FF7685294060A663AC6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B67-61E9-FA03-000000002202}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6B67-61E9-FA03-000000002202}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.279{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B67-61E9-FA03-000000002202}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.280{67EB100B-6B67-61E9-FA03-000000002202}6812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.101{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-034223-00000003-ffffffff.binMD5=A8B066F649D084E4419C534C5701691E,SHA256=A1C510D8A71FE7CD712124A33B8FB57371559B9AB7BB204065DE031F6D5439A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.101{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-033155-00000003-ffffffff.binMD5=FECB74C6DB4144B3DD3A24DCE1FF565E,SHA256=7E7F09B28B27D83CA32F3F762BE5526B6849A43AF32A4569F9D8268E5575DEC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.101{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-030348-00000003-ffffffff.binMD5=0FECC5ADD7E64231BD777A13B22E6D59,SHA256=BEE5BC087074CB585657828D95B32DC2A47161DB8868A0198B25EDBAB04B6796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.063{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-025831-00000003-ffffffff.binMD5=72B6DFBB404C7E7E6EBD6701AE27BAE2,SHA256=A6754D3B0FE44900EF11997397940A8750643D0E2EC08DFBB9C435529B7B3EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210714-025705-00000003-ffffffff.binMD5=878D5D7E57F8F782DEFC0EB5FF5EEB57,SHA256=322768C0A87B33E54558716461BFF0613DCD6923DAC4854A9499F496AAC6B41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023722-00000003-ffffffff.binMD5=A54D35BA577072DACC8F046ED8975537,SHA256=7A09EC4DA7C63CE3DFE96B008020B3365186833D5206708B317042B3545FC2C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023540-00000003-ffffffff.binMD5=C79ACD3D33000D8744F788AA247221D3,SHA256=E63E1EB69482E6D89CF44B5A8F3449BBE726CF67AB81FA46377AE6F787557B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023336-00000003-ffffffff.binMD5=127CAF272330FF3505052D8F8A63A290,SHA256=A6283DC530A859F9CB87BDD61864F693B7C432BBE4F53AFF870EDF88739C7B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023151-00000003-ffffffff.binMD5=1876E46C265C1B3EC5384707E6731A06,SHA256=FDAF2D0723477987240E163423C650A251E5509DFED23724B6FF0E90E3ABBFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.016{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023147-00000003-ffffffff.binMD5=5F1D6A04DCAA6370E57247287131A983,SHA256=3074E60971AE61A872A1EA166B7FF3E6A013324FB00575C6E3FB4C8C400D2DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.000{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-023008-00000003-ffffffff.binMD5=4A65026920FF2403CB17ECBE8782CF62,SHA256=B3A473D561795E1E48402DEE17577CA4749508EC384289D53FB377F2539DFCFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.000{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-022722-00000003-ffffffff.binMD5=EE04245AD6D223EDB5611258B94B6369,SHA256=003EA00E03824471E7017251A405C3EBA86AD4BC4377B70FCA8A58F9E1E6514B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.000{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-015455-00000003-ffffffff.binMD5=5C78BC3CFFC5209B1CE1914FA0FBCB78,SHA256=96D6A5D8BB63127ADDB4E4AED2971E54F28E2CDD2B514793E96CB4B655E089EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:15.000{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210708-011415-00000003-ffffffff.binMD5=FD32F163B0C6B4726ED6B8ED9C5B11D4,SHA256=053269D4FC88D5B3B625A3143BAC37FBB0C781ECDBAEF65B7F25C680785B3E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.898{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F232C9A3E4B4607F6AE5E97EA60CF4F3,SHA256=F6B4310E9B9491D1A06BBB3D66C4EE06989DE00497AE91837DC16D11B96CE0BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-034935-00000003-ffffffff.binMD5=BBC8CCFC6F00EB84B278B9AAB0CA30A5,SHA256=52A677F7F5501B398624BF0FBB2EBC39C5C488FDB8A2CFD672D1B3547DF9678D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.866{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-034553-00000003-ffffffff.binMD5=CA589ACF015729FD4C8344E277373E18,SHA256=39774D3019D08250C02C9E5DFA987D06B9803F055A231D8B50A2F5BED74ADE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.829{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-033531-00000003-ffffffff.binMD5=FA55E09F94995F5332A04A91226D76B1,SHA256=FF9CC8F0E300B9702F268025485E4043F1C83E894C0730B0E7C114F635B8629F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.829{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-031015-00000003-ffffffff.binMD5=730DA0822FCED720B9DACF1E0CD27284,SHA256=142E7BA475577833129D842F5D8E261D3D29D748E4182C4FE0EE4F531D22AF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.782{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-030648-00000003-ffffffff.binMD5=A531EA64663D16096FDE2A576BF3E0D0,SHA256=4FDD61381E1C01A275127DBEF2C1941F123F355A09EE0B6B293807F27ABAA5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.782{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-030540-00000003-ffffffff.binMD5=6B2BAC2BF55D3C780326B19C4C407672,SHA256=DB2271EE6495A33F4C4B5BBE1DDDAB10718053060C2286504F588BF08F5695D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.782{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-052709-00000003-ffffffff.binMD5=8D1016AEE0701929ED6C0CC93EB77ABE,SHA256=C352E7655E5544EB3BDFE871353F48E5CA51D3F505646A1104A55E74E01F87F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.751{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-051958-00000003-ffffffff.binMD5=B69620498021D540A3F1E501BE804163,SHA256=37A39CEF74A0195D1F45D842490065096A29CC6A13FA3E6A1F3F0B3A07260A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.751{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-044442-00000003-ffffffff.binMD5=9D42B67A4F445BFB0D72018B2D532CBC,SHA256=720DFCCE747E27D37B554CB9ED98451A891A9A7F3E56187E63FEB66E3946C9BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.714{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-041659-00000003-ffffffff.binMD5=98DC459FD801569B2C3593619A11C0A1,SHA256=E7579568A4A466FAB0A96EEE50CD8C65CE451338E03CD0F168D88F858E4183CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.699{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-041654-00000003-ffffffff.binMD5=0FC12B6BB43C45A9E49CD9F4831FC4D5,SHA256=9933F4E38C25F21457B3484977B9A20B201B1AF14BD9F264450983AFF8B8DE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.699{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-040616-00000003-ffffffff.binMD5=274AB9282C62A6D19EF8BC8639C0CE20,SHA256=E22A2EA5FBE425728F3893B6A8B499AB7853A2101A6D04CB2666717CD9E90394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035520Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:16.046{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1CB3B7B338A4EA12F362ED0919E9CE,SHA256=DB8728E52A62D75FE35A890A6F78C1CF225E5309194650B6BB8BE0807E02BD2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.551{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-040012-00000003-ffffffff.binMD5=9D7C5C8B16D82E7A329B8734C69179C9,SHA256=FC5E419FCD2F06A89BEA13B898BB33A6FA4C30021785C5E018C2582F896CC518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.548{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-035629-00000003-ffffffff.binMD5=5F7A01C9E4CCE4FFB008E535960452DF,SHA256=80B454160B43E700C87A5BE2F5A9E524AC0E2459D08ACE2DA8F620901A1751DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.513{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-034600-00000003-ffffffff.binMD5=361554B932CC43C5ED3CCD4ADFFA7E78,SHA256=B7A5866F2417885F4FE674A18B70753BD12FE190BA202A6619BDF4AE76D37468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.498{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-031915-00000003-ffffffff.binMD5=DC86777C3938D4AF07D9D9372964A01D,SHA256=5D9B5C83952564F6542F87B96F51A5DA6061A397023F7D5C492F27687093672B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.466{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-031431-00000003-ffffffff.binMD5=92C53E101940D69AE9FD5CFF6B4D9384,SHA256=DFDD75B20F60691304E2E93FB72BC73548A397FD9BEEBD467A65BB2C2FC916EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.429{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211110-031319-00000003-ffffffff.binMD5=C0EE46D4E9F36C26E38FADF1F90A9390,SHA256=2452E9F60BAB46A4558B33656AA5CB7FAD8508AE44CA644BC6920EB0FCE8C0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.429{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-051030-00000003-ffffffff.binMD5=FCAFB4167C7E6CE122A6636C07F17567,SHA256=65665CBACF1411B022D79451884FF554F84DB16B94B02C87F8E7282F9FC8A927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.429{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-050825-00000003-ffffffff.binMD5=65ADD3B93E30CD8391D91CA4F6E99E12,SHA256=B7A4513505F72DFE6C4970F79C707DABAB72488A26323D428D031E7D80224CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.413{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-043342-00000003-ffffffff.binMD5=81A0D7292326E5ECC35DDB93BFFE59CA,SHA256=9DEBD6EBC562DBF94DA85428805CD8CDC45E1FB275D50613FAE3F3DA5C6D253B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.413{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-040353-00000003-ffffffff.binMD5=8A15ED93F5155C905260F28CC5BB093A,SHA256=E55211C16429276CB35791CF8EECBEC2188B934E0B2FD3D5D4CE1D04E807C32C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.382{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-040348-00000003-ffffffff.binMD5=60BBFCE58C3EA77531630F960B24A1C7,SHA256=9B876276FBE8B9479D6AF06ABC3EC3B75CDE413EB72FDC3CB7D66D6DD96A7C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.382{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-035332-00000003-ffffffff.binMD5=E53301A1C5A7457A732D3A93BE918F03,SHA256=FFE829EC2702CBB6C99734B00977017B3BCB7BA037ABF91AF0B46DB8D2B2BA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.198{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-034950-00000003-ffffffff.binMD5=1EDFF6C8911A0C890B56FAF08C7457CD,SHA256=4595B78D8DE3D7E24677B053A46E1E2C5895C0668C659BCDC9C7C902B14374D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.167{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-033904-00000003-ffffffff.binMD5=AFA6FF7595615C705E7670BA1CE4CDEA,SHA256=6BC5E2A52811DC9F70EAD87D7D60374414C6C4A2A077117A8A8A5ABD95D8491C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.151{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-031052-00000003-ffffffff.binMD5=ABCE32B61D2AA3F1892346161E67128F,SHA256=C56A5A9F451EE7CEC1E032D04565499FDF488243AF14C13A25A14B2BA9E6639A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-030717-00000003-ffffffff.binMD5=49C24725496810C9AC9AD9B00F4BD0E0,SHA256=CA7C0728ADB4C182B87343E6706841ACD9DC3CB549BD2BD47CDA881305F28DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211013-030552-00000003-ffffffff.binMD5=755CAA7F36E0F5B46C32645C36FC4D86,SHA256=3A2559B8CBEABCE9302C08D1879324A950264718A835BE10C3CC5A1CB683B0D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051932-00000003-ffffffff.binMD5=D0F5B0EB0DDAF179A01637F912757EE5,SHA256=20E93B4E0029DD91E959135FDE779A1F1A1412CE976453336FEB1A1D483C8DFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051733-00000003-ffffffff.binMD5=900A1D152E017A171281856C58084851,SHA256=FC8866A360DE07E109A48BABF2EA571670CD8C7E91741A2536B923F145BA0CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051545-00000003-ffffffff.binMD5=22DAEE0CA015AF96E88BBAC9DC242A8D,SHA256=89BDE482FA430D046D723E5D14D8260E6BDF2058F0C5495A3927BD1B0C3DF4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.114{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051539-00000003-ffffffff.binMD5=6A63EFC30077CDCA48F846F5F828E6DE,SHA256=4EBAC852B032960D13C8746EECF4D24EBED25DD30831097669AA867643C2F2A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.098{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051426-00000003-ffffffff.binMD5=ED06558AEAD6C26F3472626E974EA626,SHA256=232D36B8EBBA1AC21920315E08D56C1A9E2A150511A67EC239587006C5F51169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.098{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-051136-00000003-ffffffff.binMD5=518649233FD53931E0BC724EDEB83AAC,SHA256=8B60ECC137DCF354B4822AC0513E4C510D750AEDDB028B02759E780B7768E7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.098{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-043451-00000003-ffffffff.binMD5=2F7BF90F474D13EDF274C91C2BE11537,SHA256=731459DFE69FA5D9ED6E9ED08C253BCA73F4791781A93C334306A11725245948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:16.047{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20210915-035220-00000003-ffffffff.binMD5=EDC515D77B582558E7C30E275EEAB0CB,SHA256=76BDF20E6828C7DE3E58EEB5B18DAB41D71F6618155447E3F79C60C4595F927E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035521Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:17.077{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84E89BA90B72F60B829A76AB17895AF8,SHA256=70FEB2912DC6AF1BF859EA976337585CF861277F9E3AC335BD59CE0B635613F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.514{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.498{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220120-110801-00000003-ffffffff.binMD5=9A111630F9B5992D8E9555667C2F6A78,SHA256=D498A50EC9A15183103722F93BE247B94D6AF926A501ACC4538D53C31B2D96B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.467{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220115-071033-00000003-ffffffff.binMD5=01F6F098559933EC10E5DE7C709D129D,SHA256=6238A02D564ED265D180DAA6D6D0CF63F3AF2046009D980EF5284444E50BFD4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.467{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220115-070943-00000003-ffffffff.binMD5=2D2A961559904FD186F9744F96DF5B12,SHA256=72F9091C524DC71BEC18A26C9A54A35A3CCAFD7D1CBEDCBD257A752CA18FA173,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.467{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-053013-00000003-ffffffff.binMD5=F2ECF49445F72672074F7644B4964FE6,SHA256=091A410BCF2293BA2317D71A432C8B819F856A3A2BE1B2ADBB11EAA3E9B5BFE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.451{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-052729-00000003-ffffffff.binMD5=EB706378E63EBFEB4F6A34DF7F6346D8,SHA256=8C101D3F315E7C94FCCEBF990DC9F4C594228C0CFD9F2338788346E5D14B50BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.451{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-045142-00000003-ffffffff.binMD5=C7E9B607C8AB0CAC7BFA00AB3C17B4D6,SHA256=54C08802EE955DE261D2BC142B0A62A79D8C0455653B0C8FAFAB3A80A3A4AABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.451{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-043139-00000003-ffffffff.binMD5=0DA0195CE25D94EC69D441B18C177455,SHA256=54F64BF2674B421EC391925B37D6C5FA8587EA119DB336965F6785B62A4CCDE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-043133-00000003-ffffffff.binMD5=E219CF7D9D65D9AB7C8EBF62CA1F0AE0,SHA256=7F3BEE375F8976971EE6D2B1087D7A5CA9EC0EDDD3ED4663296585994563DC09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.414{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-040852-00000003-ffffffff.binMD5=4FD874AAB87FD9ACF01A69AAA18D7E14,SHA256=04240ECCD8BA537EB6A1ED620BF9963CF0A736C79E4DFBC99E023FB49CFBC0A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.251{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-040046-00000003-ffffffff.binMD5=A673D7A33319449CB242EE297E09E38E,SHA256=8779F84D617AFB6BF7AC2A9CED697BB3355D875E182C0AC071C03ECAE2548D15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-035655-00000003-ffffffff.binMD5=44626F27213C82C8AD4FE0C44FF5BFB7,SHA256=22D2D679810F4B3F89B9CAC46979BBFE180E103FFC24A6AB8E8BDEF9CACD229B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.214{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-034609-00000003-ffffffff.binMD5=2D1ADD5A9D90D71EB7AD7B973AB41442,SHA256=B2CE2F6BEF7DB8D242146C98493B9980ACDC7CAD721604742F075A76972BD855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.198{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=AD06278F59198A1E8CAF9C1351833717,SHA256=DD076C0A7DC9FFD580F7E1CF2EF47E21087666E67D07CA2BCB2B75944A29D66E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.198{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.167{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-031443-00000003-ffffffff.binMD5=070B99997F42D699660A95D9F784D827,SHA256=54082FA9DC1956B7A4ABAB77CF7900B2BBE72B2C0A81FF7608A3EC6D1973CA04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20220112-031304-00000003-ffffffff.binMD5=7671B2B0EF86C53756607B457F28226D,SHA256=9E33965AAEA49D9C6E5C96CAD25CF06B146AC17FA60D53910309EF56F2191356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-051100-00000003-ffffffff.binMD5=FE43D9A08CE86AC600BC24CEA10D3258,SHA256=EEB82ED2C12E336F28F17C44B59B79802FA3ED3E7BEDD45CB60246BB4304CE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-050811-00000003-ffffffff.binMD5=8DDFD9EA118BC55227412FB69BA1F9BF,SHA256=82764D19D6A753DEF589CEC063A1EEF23401C4A2FE108243DBB19DB64513E0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.129{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-043305-00000003-ffffffff.binMD5=433DAEF7D64380380B9E0E12E5756480,SHA256=178C37C91CD29B56910FDA610534B84A0D39456554DB629B6F90BF0DC6C324C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:17.083{67EB100B-6B44-61E9-F303-000000002202}5148NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-20211215-035537-00000003-ffffffff.binMD5=11992640D06992C753C175500F40FDCD,SHA256=AD3FC76C3EF48F30D2F6B0869F837DB47CC879250322AE922868BBEAF012A886,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035523Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:14.194{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50993-false10.0.1.12-8000- 23542300x800000000000000035522Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:18.124{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3270343FC02A7AB19A0CA3785E989DA,SHA256=0B76AEC8DE51E0E4DE8D1652908FC55282BC2EB9F4661BA3A8A55C87AC78E33F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.514{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2D03C737043A20EAEBBC48A310C457D7,SHA256=A4FBC67154DBA4293407177B5109C3642AD53CD2F695A75B455725C32FBE7F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.451{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6B6A-61E9-FB03-000000002202}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.448{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.448{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.448{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.448{67EB100B-5232-61E9-0C00-000000002202}864536C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.448{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6B6A-61E9-FB03-000000002202}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000062367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.447{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6B6A-61E9-FB03-000000002202}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000062366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.447{67EB100B-6B6A-61E9-FB03-000000002202}4264C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.014{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B006A38092D9B96205E4E9B67D65BF,SHA256=6ADD267624F2E5B93EF15D796CBEC482A7E0AA200D4029C716213220B624A720,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035524Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:19.124{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009C2F5C630497DADC0B8521EB81F7E1,SHA256=2B231080DC7FDFCE610E5872DC790AB588D8454500931F7F07C996A7CEC4B1FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:19.482{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C5ADBF9EB767839FED8B2D99AAE694A,SHA256=1D5A2BC3FDA144DA680ED20B77A6628482E2A430A96D5DC05A0A743B264BFCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:19.229{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=FA019A51310C5DCFF0F6BA8192015256,SHA256=9B5C00FA25E8028EA9A0A0D42A6033DD74D6CEF99751A32E6CCBFB318E91E088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:19.051{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D8A4B1F400B07ABB5F92FD57CDD748,SHA256=9B8C1FAB67CA20ED6BDCA50A91699460E74D3399CFE5A67C0584A6849B561EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035525Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:20.155{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D518C695F1B17B67CB5A4A378339298A,SHA256=AD1430CA78677D79A23AFE03A4E35E2FB34E2E0C7B7FA49AF09A44A246830F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:20.082{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA8D187B76D3DD8EFE8816AFB795999,SHA256=F262729122C52504663D3746CD48FC9517D68ECDAE4F7C2A6192D8DE6057D00B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035526Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:21.249{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DFB3096A64E84EF4B1A269D13A4603,SHA256=51AC5B7374AE6F71E1F876782D51EE33328F7E281C8D1DBEFEB1412572FF31D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:18.818{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000062379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:21.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D7717C01C69328C73C06A1A06B3B008,SHA256=10414650321B5D72C48B699B3E6428AB7EEB41175D59F5971C8EB6AAA279B5E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035527Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:22.249{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C08C88FB7DC8DAE31F53DEDB249F1A,SHA256=85B01FF679D2F6B8053E5EE4A361505BB38700F7403CDCDD01450FFFB3E9BEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:22.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7317A1B2FC5B365161E88EC1D6CD73B9,SHA256=39BBE849004402F5C3AD973CEB74CAF32DFE526B2F5BC5DDD6569AEB8B120B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035529Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:23.311{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D561A96070F55E19014B9E263F28D9,SHA256=5EB151A1B12D7DD9109DF501E39E2FAB2A0F111BE73C56E515B245A50166E694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:23.113{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=944FBF276130ACBD98B4E1831E2FBFB3,SHA256=AEF391FE22012484A1BDE708703283EB5DD60DE1A7A959FBC855BBF78C5A0D56,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035528Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:20.226{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50994-false10.0.1.12-8000- 23542300x800000000000000035530Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:24.327{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0A238B7A7A80A4D930CDB29EFC04B3,SHA256=5D00E6D013D18F3C17286C6094758FBF95F154D44D805AF22E2AA89E7CD4F263,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:24.265{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=71A42BB1BC8B04B63E75C650B0A5C9CB,SHA256=1D479D7EDE7BDD732BC4225A3F0F14FB7C4420486B3D4DB2F74635856ECEC427,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:24.127{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DD0CEB44B8FE286A981C82E179F1D2,SHA256=0567538543464CF1C5318FF4452599A946CB9F04367FB686030F6A18BFCD36CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035531Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:25.358{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F095411EA84252D73C93696310E81167,SHA256=F769C9DB3AB1E7E7E848451C006F209661335CED30506DD606002B827F6CEF70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:25.128{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B36CB9FDC317B741B2FFB277FA919A7F,SHA256=833B41E56FF1D51279D9C388EEA2BE349E0AE48653C122833A6D62B95B5AC5E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035532Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:26.358{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A172B2FAE4700DAF38405449CFF4D6AF,SHA256=2A135E379204EAF4B03F6D474583400DD51C8EF64E67D5F19F8CD9F87711E584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:26.146{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1129A32E34E18F57A86D2E8F91DBD810,SHA256=CDA60A42473D8A9E3E3343094EA0F339DE0C47030E450C7F020DD03215A62C2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:23.879{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035534Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:27.671{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FF75E68F101C0ED7B28FF22FA60FD7A8,SHA256=DB778785CD5A96349909E021656A671A53D106D235BEE6FD5641B5C2797BC291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035533Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:27.390{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93F444B5B6AB7A2FB4125AD86FAD163E,SHA256=278370B362527955E59AE949E807AC4621EAEB48180CC203789DDC06CD874CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:27.165{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E957BB1D9DF3075805D74FF1540E942F,SHA256=37BA6AC09BA2FF1B5F7FEA5A0E5D7725E9ECCF7C58FB85303009F6F2B672DD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035536Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:28.421{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1178A96C54F206EA0BA490DBD87AB6,SHA256=B6E31DF68B4B03B8974F823F6A0534F1C0C7AE3BEED8E4B8941A0A13BDB88B91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:28.181{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=939C825FE2E865872E21EB73F6FF1BA1,SHA256=C16C6FE28D9503E28E9A8AF2750D320EE7BA7E93BBFB44D8F5D053A7E056193C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035535Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:26.147{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50995-false10.0.1.12-8000- 23542300x800000000000000035537Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:29.436{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A1DAF2E7609C5F0E809B06B50E27DB,SHA256=1CA11E0478150BF2E4A747D2755230ED767B6BED05D456D11B1299E4DB8FDD69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000062391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.895{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:29.196{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0419EFAD13D990DA71D9A569B9AFF00C,SHA256=66D700DD690E2B889257AFDA3C14CF98A7BA9EBD9BAFD982284B9D6A9CA4BA7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035538Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:30.483{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CCB4BDA98BDB427B091B8416FB8541,SHA256=9D3CB7ECF499AC4E5A01B9AE422ACF085F2A05E7E3C606609E3D0A643E721559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:30.413{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C671E4441FA04192B85C6B70C57705,SHA256=7697AFF2E09CA3713F02D617E30FE733FFE80CC2A023E1F7DD193F4389FD9F49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:30.413{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E1B8CE061F7363DDF40EAE4D23830BD,SHA256=772D535A53B6D448922B0619FF12C548B61D9D9A5E53139F5866B94498CA9742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035539Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:31.515{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C88D51FE69C1C84DB0B5439625A40F2,SHA256=44A0B3A6F43B0E07AF5EDE134F678679F2A4FE59179925758C02228031FE8CA7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000062447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:31.713{67EB100B-5289-61E9-8900-000000002202}45244676C:\Windows\Explorer.EXE{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a20|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800F78EAFF8)|UNKNOWN(FFFFF5DD3A6A5B48)|UNKNOWN(FFFFF5DD3A6A5CC7)|UNKNOWN(FFFFF5DD3A6A0351)|UNKNOWN(FFFFF5DD3A6A1D1A)|UNKNOWN(FFFFF5DD3A69FFD6)|UNKNOWN(FFFFF800F7602503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000062446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:31.713{67EB100B-5289-61E9-8900-000000002202}45244676C:\Windows\Explorer.EXE{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55501|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF800F78EAFF8)|UNKNOWN(FFFFF5DD3A6A5B48)|UNKNOWN(FFFFF5DD3A6A5CC7)|UNKNOWN(FFFFF5DD3A6A0351)|UNKNOWN(FFFFF5DD3A6A1D1A)|UNKNOWN(FFFFF5DD3A69FFD6)|UNKNOWN(FFFFF800F7602503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:31.713{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF62c9bb.TMPMD5=283F9FDBF815B232B94D59794C934AA9,SHA256=B37CFCFA48EB0442B1F71D7D304494C1CC387CD0F72EBE5907C6B99CDC4ED8C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:31.428{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06E093F309933F82EEC296FEE3560557,SHA256=13A546615644E70EA51CED3674321F41027FBB521BB2F5928BF41191EFA86603,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:28.963{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035540Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:32.577{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA9A392A84B885C3C0F70A4BB1B99DF,SHA256=392B5566B3D03FCCEC955BA13617972E421CEE2F1C0057017A0606C7EC7AED06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:32.429{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D404DB1E8E98650980523210A4CE8C44,SHA256=594781FD5B38ABD573C0B961EAE733CBAA14886F0356A42F3DEF57BCC8D60F69,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035542Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:31.210{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50996-false10.0.1.12-8000- 23542300x800000000000000035541Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:33.608{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D084C274051344323ED02835120819D0,SHA256=631C7E926F4734B6A7AFF2BF7C27BCFADB84A7A3E63D90B3105D8B4B1F371FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:33.450{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40835E937E11CA7DB1E2A7D14A04AFDB,SHA256=D86969EDA197B506B91C185E1CE7BE8417547C6A9329CCF17B21F5754390DAEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:34.465{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABEE9C68158815F32E825ABF8C53D21,SHA256=B5F52D589FBBB46449EAD93448402A6F52FA0F363AC194C108A500C21D2748B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035543Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:34.655{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F593E4F1994AD1A4A45B5BFE67C8AF,SHA256=BF79E07EA580256434E226B6391C86401725BE3666474CBE242F335DFD57641A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035544Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:35.686{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B929CC1EA5F93D4609346E69357DFB83,SHA256=098883F3EA5D319BD8148252A400ADA22FED6068CCFD2102D3643C0B5DBEDAD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:35.497{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80340DD8CECDA2D63A6917FAEC405203,SHA256=748052B2FD5C769E0AD89F0DDD8925F9A76E6CBF55B4491CB37B182B9227D07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035545Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:36.686{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85F528253E8E61CAFC2952DE05C67B55,SHA256=ABE3E56B42D8587DEF8D209EA19DA038988D43904E2A06B21A611C09B0EA40C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:36.527{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2EB1EC5E2EC28A0755CA0E8BE808D2,SHA256=990F035C6D1CD449F4E84AC96AA0945BC11D989B2364004F193C6CFDAF1F6677,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:33.980{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035546Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:37.718{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=857C11304D4E019AB88865E7D611C6FF,SHA256=D61E7D5B4ADCC834259F65E2671692C166F5F1E17F886914F528793116139B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:37.527{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ED5A701F6A7ED60151872A775147768,SHA256=183F8B389093F59BBB69F82689D6841BEF58139385EA6DB9A153E2C6E6D9DC55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:38.564{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A359EEF811B5BE8EB0E7582C1F9475C7,SHA256=3F4260A30DAE8F92788E4ECC0D3A92D6383EF45D5FA41180778CFB0AE6CAF26B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035547Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:38.749{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8679490133A351D203C2DBC903E5D2,SHA256=F4F075E7AD5BB2D8AEE437E4E1BC5F9869D8F88BB7CAEF80C634E6E2241ABAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:39.578{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=048E96676B7726F12A9057DFA574A714,SHA256=F0B4CCB6FEC76A8B84CE4C2662457B92AC329E1E32223BA82BBB8C552AF77985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035549Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:39.765{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7DCD0A1AF8C621A94078FD8C51BFC12,SHA256=31604794AC4827EAAAE12D0962383F6B2DEEF8FF01BE6CB42094618BC91E2F05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035548Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:36.241{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50997-false10.0.1.12-8000- 10341000x800000000000000035576Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B80-61E9-6B03-000000002202}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035575Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035574Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035573Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035572Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035571Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035570Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035569Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035568Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035567Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035566Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B80-61E9-6B03-000000002202}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035565Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.874{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B80-61E9-6B03-000000002202}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035564Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.875{8EF30467-6B80-61E9-6B03-000000002202}2920C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035563Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.765{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E90BCCEF783825E28A4D66D92A02FBD,SHA256=FFB3DDC76A8BA0F822282FABC2F959A90F2B5F666F045097A6BC3450CD63CC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:40.579{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FB52240D08A8860B953E64989C5B797,SHA256=7FDADF76934E9377305DE15D0DCC90FA10AFC0409EA3597B0B445A0A5724CDF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035562Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B80-61E9-6A03-000000002202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035561Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035560Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035559Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035558Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035557Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035556Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035555Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035554Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035553Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035552Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B80-61E9-6A03-000000002202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035551Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.374{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B80-61E9-6A03-000000002202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035550Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:40.375{8EF30467-6B80-61E9-6A03-000000002202}3372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035593Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.843{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E23964DEF8A3DFF0A70F59F2B37D7F,SHA256=07E986F17B691CBE88A7501A095C0113774EE15CB9FE3B242A64C428AC5A4B22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:41.594{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=672FA73D512418B643DBB798C9FC2736,SHA256=AE6524EBA8806876F95816040E8C3C22E87447EB3EC4A333E5549FCDCEDF0C47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035592Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B81-61E9-6C03-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035591Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035590Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035589Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035588Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035587Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035586Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035585Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035584Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035583Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035582Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6B81-61E9-6C03-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035581Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B81-61E9-6C03-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035580Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.546{8EF30467-6B81-61E9-6C03-000000002202}3508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035579Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.374{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D60B98E948BD66F874622D9CE29277F4,SHA256=67C8ED2188160DEC85BBE572275B724F7EF1CC5F322B636A6F1F95123E0A09B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035578Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.374{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C7BCDB833E4A83F5EA893A4D9BC0543,SHA256=074263FC94DB4F9C240794E4E1771EAC0F41CA9755C5790DE54E75B30B1EE3FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035577Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:41.066{8EF30467-6B80-61E9-6B03-000000002202}29203336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000062458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:39.846{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000035608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A7E9F8F0981650C5B004C370E94CE4,SHA256=DE13D26F4A4FA00E23618EAE13ACB4238E039EFD69BF83D5D9DEEADA0C0F5961,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B82-61E9-6D03-000000002202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6B82-61E9-6D03-000000002202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B82-61E9-6D03-000000002202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.843{8EF30467-6B82-61E9-6D03-000000002202}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000062461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:42.595{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C484D34753CA5E4CF7122E6DB87AC13,SHA256=13D5185BD8DA6C9D0871E861CDCF879BCBF3478A11DB2B92FEAB5DC1D3FBB0A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.577{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D60B98E948BD66F874622D9CE29277F4,SHA256=67C8ED2188160DEC85BBE572275B724F7EF1CC5F322B636A6F1F95123E0A09B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:42.302{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-104MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:43.890{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4859C63961BE82B4B6D288FE76EB0157,SHA256=4D36307D5DC5307856C9B5B5137807323769393D89350BA3B3B9DBF3D522B6EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:43.890{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC1AF0A16A2B5E865B097234C43D2FFC,SHA256=9E1A353CF691C4CA0531BFAA5413050332D7E6B8943400EB6AAD2B1D760903A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:43.795{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=7E4A25C36845D79A1FF4ACDDC8112D70,SHA256=17F73455025BDFDE6FCBDE61C79E46FC24B511294168E5B3A20092FDA3FBFE0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:43.595{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE1E98640443DA7A42B4454014081CC8,SHA256=174BB0883A566368FA2A969D21923B5D5585204DE0552DCBCAB0B2AD9028D5FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:43.202{8EF30467-6B82-61E9-6D03-000000002202}35563496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:43.296{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-105MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.952{8EF30467-6B84-61E9-6F03-000000002202}37602588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000062465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:44.610{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA4D1FFF179C88419E12632F53EBCDF5,SHA256=B0506F72E9CD2C35C141DB1EBB639075CDAB96C65F3568B3CACBA0EFDD0D3325,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B84-61E9-6F03-000000002202}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6B84-61E9-6F03-000000002202}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.780{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B84-61E9-6F03-000000002202}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.781{8EF30467-6B84-61E9-6F03-000000002202}3760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000035626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:42.183{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50998-false10.0.1.12-8000- 10341000x800000000000000035625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.249{8EF30467-6B84-61E9-6E03-000000002202}30481796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B84-61E9-6E03-000000002202}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B84-61E9-6E03-000000002202}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.108{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B84-61E9-6E03-000000002202}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:44.110{8EF30467-6B84-61E9-6E03-000000002202}3048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000035643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:45.952{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2292E9E3F8B9E42F910139AB5C0896,SHA256=5946339868AE33A69832B69D102939EEBB91854E6559C489DBAAFAB8D727781F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:45.610{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33334DCBBDA02ED87682A128FF98788C,SHA256=21DE8AD35C257C4532021D615CC92FDBCF96F1584ACC880FFFB2898BDE6C5C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:45.249{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=255B1636FC72FDEC6B60BD502A492AF2,SHA256=2E82A06C34ED2BC65B72C4159A9A520145FA7D51EFD8F67557DA84EBD013E879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:45.249{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6956EAC35D95EDDF4F000B2D9084BE,SHA256=9491E8898F4435521CC69768FF760EBF8695B7D99F70788C82C12A0D98FBBDAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:46.625{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A55A9F5D5747B04FC7669F66FFF5EC4,SHA256=733893202D3A41DCB0FC306CB62CF7BFB24044EF723CFFE331BC6BB3E7C17859,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000035656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6B86-61E9-7003-000000002202}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6B86-61E9-7003-000000002202}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000035654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000035645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.968{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6B86-61E9-7003-000000002202}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000035644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:46.969{8EF30467-6B86-61E9-7003-000000002202}1744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000062467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:44.999{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000062469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:47.642{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=144B529374B7B74A3076516A0F336275,SHA256=06E3709A09BF0D76E8B4E82A5D29A3723516C21040BD8ABFC7C6FD893E6E6044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:47.015{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302B6145D2E7731AC1D50F7EE35AC765,SHA256=A798B67FD5C9A612C63380112E4D297B2EFD5108381E792E8743576C566B1E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:48.661{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE3CB00AD89B85D09BD5661CBF00D63,SHA256=9EA1D014F5E94D8E97AA17B69D0A43BBD47890BC4EB7864CCE246DE963CF1BEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:48.015{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FCD1D5280186A310FB90AFDDF6E5284,SHA256=75D3CA2892F4E4757D3B4BCE515B0CD426BF016B114308C1F246D63967978CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:48.392{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:47.999{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AB78E293CDCE7B8CE8A96C765BA8DEE,SHA256=1BA95283B80F263AA3DFB81B1B53C54C88D933F0F9CBE73BF0D161CB94EDC22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:49.676{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C32898C8C13738DDB8C5055A62DC23D,SHA256=E66809B5EB582A42FB7E6D56F6F2C6A8F5B86F4E61815FC2E30424ADE5AC4763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:49.046{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAB9EBF1920D27D08560A6B687CEAEF8,SHA256=AFD120E45C1D32B7E6365F141535EEAC937817AA9F32F93CE125BD0BFB6E6C25,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:48.113{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000062474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:50.691{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD38BA009E4E9FD95C240142FF128575,SHA256=099243DA072E62F0FF0FDEFB892D0B3786412AB92238CBFA9FE7AB52D5B3E5C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:47.288{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50999-false10.0.1.12-8000- 23542300x800000000000000035661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:50.077{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFF0699B72C83C0D8A459C68377B8ED,SHA256=BBA4A921975A23B6E4A2D6D11898835AC60E0B8968B5B047F7597EDB1BFFD0BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:51.707{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4DD2ADCB7A03FE52C0C3A2C46C50BA0,SHA256=A1D2E8C68C9798206C2F2C6D9B1A80353D38DA45018FC23BE0B1CD6886CBD5F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:51.093{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69524CA3442BBC35FA7F164E4E6B07AA,SHA256=B027F3B7FF3C8BA7462F28B276D8EB3207A00D2E6CFD6278A10077C39C0D87EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000062477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:52.707{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD8F2B75C66F8A7045389ED8D451C04,SHA256=6C75447DBC5FAC3490B021443462136BCF060CC254541B247DF31E0F315957F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000035666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:49.554{8EF30467-5221-61E9-1100-000000002202}968C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1050:39e4:f5ff:fef0win-host-tcontreras-attack-range-532546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x800000000000000035665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:52.343{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000035664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:52.108{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD37E9209998944368FED2BE1C40A17E,SHA256=3F695244699D7FBD1CA07DAD00D5C704AF36DAAF093DFFB3BB7D44FB562A9EA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000062476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 14:02:50.773{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000035668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:51.397{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal51000-false10.0.1.12-8089- 23542300x800000000000000035667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 14:02:53.155{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B611A7D2BBF597CDCAE4F3522256623,SHA256=549455CFB55C392BD472F31CDFEC47BCF237671BA662DE4AC40C5D840C009DB5,IMPHASH=00000000000000000000000000000000falsetrue