23542300x800000000000000034793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:54.707{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E836D5C6E25DC5FD8BD0B96ADCC1FFB,SHA256=BCE236ECD65035554374C91C8B04A1BDAB5ECF17FAA481E8E87AC592F0ADEBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:54.744{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBD5E3FC010EC5B142FB24C7940A8E9E,SHA256=FECD2321BC02BE1E1883B387450AAC7217D2ECE4C601376016F4E76BB1E4A5A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:51.295{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50942-false10.0.1.12-8089- 354300x800000000000000034791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:51.263{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50941-false10.0.1.12-8000- 23542300x800000000000000034794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:55.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E48D015D7C3D53751B240969DC1C2BB,SHA256=92EBB851AAE5F7FF4922B4C6B0D36D7672D522C5B01D982B7F218214DC0BACFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:55.765{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01699AE0FE4401B4D14A8A6BD0002763,SHA256=C53CF5C2185E1104D957DF6C30D235F56FB95BD806B2D6D3BFCD728409A11841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:56.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B4B0B4452B46F3AE07232491A7CA9E,SHA256=C4882EF2F9DB103CDCC4B1F7BDFEC6A0E7898C7AD99D2C198EC538EBAD76271A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:56.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED103C5CEC3F9EF491980F40879E1B29,SHA256=008032EA1BF19BEF6E0DF54C247A206F2A45515B767978A28DD04A3E0D088A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:57.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA0835C9415605015145C88C7D9D660,SHA256=A38A0CA583BD18E4B880D5F6701E88F3AFC14730CD8E23BD7CCB2B5E48317A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:57.801{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E3C41455339419EE62B93F513915D3,SHA256=569D0A02D9AB89CC059225DCA26392B881979E69139BB88E42791A3BCF2A0A85,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:55.844{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:58.781{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95ED7DA02C8E4C21BEBA9A51BDD342F7,SHA256=9E1DCAAA8E09A2CC7D2E27A08BC1E117B69725594D9C4F4EF41193CF9BBCEC2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:58.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04C49F365AAEA67F5A4772A5059FC6E,SHA256=DE59B4CC76BE5D1E1B69BDD85552381F334FA6ADAC658E6D2FC5BEC64ADB021B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:59.863{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5608BF86C9A20686062D49BF196CEB2,SHA256=7C70965AF0F85ECA1D384910F6A60A19BADE0D874850CAB66698C673B408266F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:57:59.811{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE34E2FFE766C4A14C11F7E6166310BB,SHA256=FC733129281D7E42E1EBE730B1BF08C1049EDB6AC7ACBD7D86C138D2204694E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034800Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:00.941{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83E652170EA98A4AA19EA10C22280B66,SHA256=6AFDB985EC4F741C8323DEC625288AF39E2358704B68FB5D52863968A95B5E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:00.811{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51075C22017DDC50A44019728D521996,SHA256=5089E1D7E4147B018CE9594A0063B2F992A3CD82EE3BD338F94030F90DDF6223,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034799Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:57:57.169{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50943-false10.0.1.12-8000- 23542300x800000000000000058765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:01.812{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC020119E5DF8B212CABBAF2E2A07E68,SHA256=C0BE8B68E233E3C99934CA883ADFBDF61D7728AF8E39926B1653B4A0D5F6BDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034801Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:01.972{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042A71D5F3B2C5CDAD0204BAD2AC59D7,SHA256=00E0852992FCF257D90B9BCBA7DF7BD478ECEEF43A04FA8DAA338369918A7043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:02.843{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C55B780A244319E243709B8FC248E6F6,SHA256=5632A10D122C991876F0D35E5634075081BA9EFB4AB1AB8F4D9A71EF3D823073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034803Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.987{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF1A2A996110862725837CF8EC0B9077,SHA256=1EF0A5FF76261DCD79861147E456D9B5E426575C4EED9EDD7A6495952E3D7336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034802Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.836{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-100MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:03.880{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B940178238C452324E787CBB90619E8,SHA256=6C97D2F0ACEE199611D37BD65ECE234E164FAE3C777E20BBB94AEBAA417E0330,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:00.975{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034804Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:03.847{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:04.910{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6474342207E37B9B738FCAFBF9F26E,SHA256=320AA72ED7B1540F2BB5F9266EB2B21B9D08DBD3CF684540A7D6C756CAB8499C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034805Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:04.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5446DE4ED5A80B8BEC95D1A5865F84D9,SHA256=26E9967BD80DB8F4638BB6E94BF118304CF88F54F4617B50B16B915E7B2BA1A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:05.978{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C490B8E43D3647D603B9B43B73153C,SHA256=A8D037E6C72848F33CE9507BA1D3092F2E4C43064BB09EA12ED29B7AAAD5901E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034807Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:02.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50944-false10.0.1.12-8000- 23542300x800000000000000034806Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:05.066{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5615047AA7C0CCD20C4DE24434762740,SHA256=D6D0018E56F39B4B0019A642BCA20CBCCBD463CFD1B5218E05364626112A1482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:06.984{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A852B4143637BD1F8A3C93782C1C9B1,SHA256=C875A0B9603A5A8EDF62FAC6DC1747FD1E5A822DCC12F6BF05A785AE5AD1E727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034808Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:06.128{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAE2E7B1AD226822348A507796F755A5,SHA256=AE1E762D3419DDCA398A9C7209B565F6AC6B24AC84DC625B3550DCD2E01E4CD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034809Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:07.144{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4827C3EAE9CE5FAB7CFF5BEAE29343C0,SHA256=705150B97A65716AA66974D53394E9224345392D60703611C9F977EF3EEAB03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034810Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:08.175{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D5BFB4E82A8FD214EC906A4A97770F8,SHA256=BB42421093C054847CCC5112B7F3A87B032676C9F423192001E4546FBFCA60E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:06.932{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.014{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D08476D75118C2495DADFB52A3F5B4,SHA256=6D57A198C9FFA3392E7819DBCA87E48D5EDDD8794F564A5A6E840EBD8E61D022,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034811Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:09.191{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C121ED3FCBCC7D123AF3617BD217FDCF,SHA256=78CF1F2B35829F832D3CA9905DDF31CD932A653002CDB6DE708A71C6AA3B2F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:09.014{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52400B1156045B6BEF6EA8E4EF7E2B51,SHA256=BC4F93937A287BA578083BED4EA53C8CE8D34E5696D5BBD848577BDDA35B1387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034812Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:10.284{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02DF618C47A8050904E4B376A86A960C,SHA256=F1D928439ABCE2B87923AE7D22223940A2534324DF8772730D927D2F4C0259E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.883{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR51532- 354300x800000000000000058776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:08.881{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local53domainfalse10.0.1.15WIN-HOST-TCONTR56748- 23542300x800000000000000058775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:10.030{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530B5113A195FC7E4BBF50D568EB3F34,SHA256=6C57732F3980F8A87EC61D538B87591AB26C83105C09AAE7134CA229570F9A34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034814Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:08.231{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50945-false10.0.1.12-8000- 23542300x800000000000000034813Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:11.316{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E441F68805DB0CB2027CAE8057E49859,SHA256=290A6FB9DDB42B0EF5BC39CE115A1D97867BD848C2BA2F343652E5C94CF6F0CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.082{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.083{67EB100B-6A73-61E9-C403-000000002202}2220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:11.044{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1830BAB508CAE3CF221D5658AD03FA4,SHA256=0F227E1BBC3D7073FAC7ADE072281CF41AE5DECEA42359D619BA3E4D360FE880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034815Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:12.363{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=586D9893DEC158792C7871F546358E89,SHA256=9DFF5C64023562884FADA3D12B204E05B283ABDA4BE0BAE884D83AF9BFCC496E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.244{67EB100B-6A74-61E9-C503-000000002202}50644184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD182C91A808BF4626CC91F369D8035C,SHA256=7D6A672A0255F12D7AC4F8BADDD321087FA5AF321C7B6B0A95963B0C90D17593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.097{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2004FE2E9E7633C41242CE783545B964,SHA256=8B12E23A75CDBA0B681434CEF171EF2953B054F16D7F6858D2385231D2920CC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.066{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C549A0CC10B7D60246F76187BBFE48A9,SHA256=189FCDD3065E742A8A05126F8C11B4C1C2738E2ED4BF67252BF47B7A26B608E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.013{67EB100B-6A74-61E9-C503-000000002202}5064C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034816Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:13.394{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8F226F09F4BA8EF2A586D5A8EC1708,SHA256=556D7CEBB7139ED062B9F139D85D12E0DCA7FF14B87B1922948496B0EC700F88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5230-61E9-0500-000000002202}416544C:\Windows\system32\csrss.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.182{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.183{67EB100B-6A75-61E9-C603-000000002202}6960C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:13.145{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7C34ABD497F937B456D3F3EE8EA5338,SHA256=572B60A4D3BC52638CAA8EDDD7A417B9069AE25E8D84A1A97F96BE0D3A282843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034817Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:14.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794E9E55D9EB71B66E750AB3F8517A2B,SHA256=06D749B2B69DF7A47393CDF0473154341DACBC99DA2DC7C7797D4EED313CAEB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.921{67EB100B-6A76-61E9-C803-000000002202}46405900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000058827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:12.831{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.737{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.738{67EB100B-6A76-61E9-C803-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000058818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.487{67EB100B-6A76-61E9-C703-000000002202}67401524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD182C91A808BF4626CC91F369D8035C,SHA256=7D6A672A0255F12D7AC4F8BADDD321087FA5AF321C7B6B0A95963B0C90D17593,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.229{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.230{67EB100B-6A76-61E9-C703-000000002202}6740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.167{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2A4A02A0353446B422BCE46903E485,SHA256=B7F392144AFABD68815AF2B90CAAAEE501A90F67F86EB8697EBDD125A4E39B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034818Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:15.456{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6747FD1217A53C672D3D50DEFDA06B4A,SHA256=07FF19F8263DE7933F167039EC2F6611B318D8C952045B7D570E2F46BF496D9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.354{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62369-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000058840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:14.354{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62369-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 10341000x800000000000000058839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.600{67EB100B-6A77-61E9-C903-000000002202}69886484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.403{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.401{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.400{67EB100B-6A77-61E9-C903-000000002202}6988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.236{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CA3458ED2EA5D627C04A1486CEE9069,SHA256=1EC74725F6F06FFDAC241A84E6105487E12CF2D551B87ED716C709B8E4EA20DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:15.168{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564876CC1C648B74A0B3E324C5F93E5D,SHA256=D67B014CD0B6DB5419316B7B33149309B1AD30CD12620AFC57FE8984F9234E90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034820Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:16.456{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556EC12E3765D2CFBDB143AF545CC4FC,SHA256=8AA2295DA70F55E69CBA02C88049C2A04A125DD0E2AA6CD3B7319CBE68F634FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:16.420{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88F1AEFA477822CC04AF4B4F2E82C971,SHA256=A437042778432B0695F99297B825B00478A5D71D70026AAF129C5C39539C578A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:16.183{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A758D8469A31F6305270EB65AC178524,SHA256=1E3CF6B39B7431F403FDBAED597E8E48CABD0C5DDAE7FFEE97C4F7C251FC22C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034819Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:13.326{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50946-false10.0.1.12-8000- 23542300x800000000000000034821Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:17.472{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F76C78E55DF48B0AF06D327B2B16A111,SHA256=C2D93CFEEB7DDF473BE8DE2908DDAE1E9611E92B7A522818744571852001B763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:17.201{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD0F6F903BC6FBFCE3029F0A75A4DC5,SHA256=CAE5C8B5FA2E01E4729C85BAB1D476EC42AD983A4D29EE7B45E0005EE94F8793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034822Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:18.488{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF7957EC018E5586596B1A0C10990837,SHA256=98C75809FE8E22E48619F904CAAACF3FCC46050472CE784028AC017225009A4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.381{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.382{67EB100B-6A7A-61E9-CA03-000000002202}5124C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:18.219{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AAB26322A2431E076103BC84E84F46,SHA256=567A1FA5024FA9A97DD9A0F0D5F39245FE3C6491596D1C192A0A0FCD17588F65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034823Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:19.503{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2776AA792CE13EED63EA8B0D81ECE5,SHA256=A8216C33DCA10B86FA9A1AF00AC287CA1C909EC4C63D255A32BCF07ADD19560B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:19.389{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2127BDB00EA00B0D41FDEA49FEB2331B,SHA256=98130A4003BFAD84E99E3B77EA031B7726DA2795133C429C46F54017DD27B4DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:19.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E98ABB75E01CB7D002678A442BF9C40,SHA256=B5DDE27B1E5FDCD540542AF1AADF79C10B8CCCDAC76ACE1AE8F2DA59ECA0F7DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034824Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:20.519{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A78ADD77CEBC511F2E525921BC6709,SHA256=53271014749BB8CD764E5EDFD78E88D58BE2CCC3EF03E13D3BCD5F40A4EB4F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:20.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BD3C9D746C7BFFAA6F75B0F05CE94D3,SHA256=8F1D196E4133920BC496DA670184702D04563C297C72940B22457ED45ADEBBE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:17.867{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034825Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:21.534{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823F0DCA83B92344849BFF5D0944824D,SHA256=6C1EE9B056F94B3547D25D6BD2DA144520CF0EF6FC3A4F4B686352BAB2A94090,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:21.225{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C7F39F6BCFB099284ED592C758634F0,SHA256=718EFF290AB117904DC67286087DC834CB904348347FE594B6A6EAB4CB71BA3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034827Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:22.550{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F64F8C8F324304FB77FA0F4BDA13FEF,SHA256=7CAC1710C04DB58A3467CCCED75B5C72AC3FE14B59F16A6AC264348B07442885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:22.256{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DBD06E3232474DCBEBC9CD6F9880DE0,SHA256=0C41DC6E0C928A354644F090C00F6C3414A31D4D9A15516D7AA0033961A2F663,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034826Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:19.184{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50947-false10.0.1.12-8000- 23542300x800000000000000034828Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:23.566{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A4393C232879DC5F3726CA4C06A1752,SHA256=A378BE88CBF246BF3FB556EB2BFBCA91BC42A56E3F5B4E3852DFAEA01E4501D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:23.286{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9F6F3BF88BD2219F853D5D1F0FD5D4,SHA256=0B1ACE2AD62C633DDB2F0294BC3C7581F20BFED213AD0616DA7C0B184BD8D9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034829Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:24.581{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCDD068CB8D68E17D74AAD6F4EC1924,SHA256=268C3B9E6C1CA1694D3F862AAB3EE84FA6A99C70E2874E7A2B03BF44DA713A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:24.304{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B402B248DDD05A89681AE0AD0EB182B,SHA256=2CA0DC078CF0F154843F7C65373E2605130C62F5596E8E0EF643A1920201BB11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:25.323{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2758F2FE7790CFF883D915990C36CE6F,SHA256=14769657FF1333985762AAC658E1B9167D7D489380F09CCB22A7E047C52585A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034830Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:25.597{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390DA78B9B11F4E28208BD31009E59BD,SHA256=04E57500A4459DD2A468077A27ACCDFE1568961507B9D7FE0FAD00DE8FE47AEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:22.919{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034831Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:26.613{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294EB083EBA6F0377CD8570EE84297C9,SHA256=DDFE43B77ED66EB359ADBCB39D4AF606A4AF29D816B72E6E3761745A5EBE99D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:26.338{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=138179BBAE9AD5A8667D4809D01A490B,SHA256=9B9A4D59DA868287B60367CD34CC61399CF0296E689D31571F64463BEA7F907D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034834Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:27.628{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DDAB11AB75B4B1334FA865D77861DC4,SHA256=8009638B901FEAF3D0AE5F2365FB4D778AA44C4F87E703D26581E094379A6AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034833Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:27.628{8EF30467-5221-61E9-1100-000000002202}968NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BCD2854CEEA5DB373A2B7224ABB7C68C,SHA256=47D5D815EB988E8B32D39FE4612FF907B1F46CEEB9ADB7B96A01488389800BB1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.902{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.901{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.900{67EB100B-5232-61E9-0D00-000000002202}920940C:\Windows\system32\svchost.exe{67EB100B-528B-61E9-8B00-000000002202}4900C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.338{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0113E4736CB79C04620E3852AAAA76E4,SHA256=956C827FE2900424127551ECFB442BE9FC15CDBD338AAFE27126B9F88BCAEDA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034832Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:25.215{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50948-false10.0.1.12-8000- 23542300x800000000000000034835Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:28.644{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FD4DE43522DF75C104DA75BC11B73,SHA256=43F972B928608E2E4B3183BB71EA4B36627A6FDC74DB3088F1F4FCAE041A7F04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:28.484{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F9619523054A282AA426124C7A8C71,SHA256=24F043D1549E4EAA2E6FE6DDF5872BE1095BBEE9FDC65605FF7AA72A7A9721F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:29.501{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AC4824A7BB61764ED365A58443D5242,SHA256=EB015C6B5DA24142D680C0AF978A4EE393DE1F21FDDCA86079857A0250C01FAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034836Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:29.659{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E0E2EB34D6F3DA8DC88E5352E075F5,SHA256=244B5BBC5A57EE847B4315B96BC9359A84D5C84BA459A4D563BF75FCAA3AF6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034837Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:30.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CB23B63D10EB8AE2255C815E90900B,SHA256=FFA814AEAF99D5D14B54312BD28794108A24B29BD0F469D491D82D2CEE82A4D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:30.536{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A2CF1C1C6BF4092F7168C8ABF897B2,SHA256=7C60295ED1BFC17A557AADC44ED13D5D2FC71674D56A2AF9586DD05519B43504,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:27.970{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034838Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:31.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55FB8154DAFEF7313CFDD6EDF7A823C1,SHA256=1F85E2ED743285B2E0155B9B4EC22D396C9CB1CCA665616DF11F7CE3D49B7031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.923{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\pending_pings\66a954ec-9e5c-459f-b9ca-a1b5abe43569MD5=A0CA5DD1B671A8BBABDC80F30CAA8A9B,SHA256=2FF3DEFB2C15855D62F247976E84061BC0924AA664D30845094AE203E3FB046C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.706{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\aborted-session-pingMD5=EEE13BC4741D75FD6AEA67B931886F77,SHA256=B2C88F1CD3965D0238B82F079D9397E5B862B2FD513CEC23C165FBF5FBC70EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=E10909D94CD06CF3E58F684BF663B53C,SHA256=7D12C1090429A8DDB3D12D31C106F05CD1C81FB2F6E54B65293EFA095D361F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=B7E90553934A708EEB809AAF04A0721A,SHA256=CBE0EF3EE4E4A3C11FA02A2A82748E6A1D0E8BB7DC67D9805AE574D574589469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=2B83B9A16D8C5F2CA9EE14E9F5995AA3,SHA256=BD355B374325168C86D4522599C6B5AD3E64A21415E436E61111C57047E3EC2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=C21E3717ADEEE7DEC88DD0E1FCDFEFC0,SHA256=42E1437000F22BC6AD0C4793D192BAD2D70E087BE864C82C1A0B2B97196E6BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.667{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=94E2B4AF10773AC98E03ED94C612CB6C,SHA256=C31F801031FEDE75272162B53AC17EC272D25A7F0141133905AA48BE714E89E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.568{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F6E12578036C8F48B807E8DFF95FDB,SHA256=55B9E5B475E81F4587649455B580303F48335B4B4650C06CA0DECF3D0E0E9CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034839Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:32.691{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27F069072F1EDCB57E1BDD210847DAC0,SHA256=F4E21DD0E74226B6320BBD957D6823848C29382A4AB9DD1AA49DB6DF7F439BF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:32.584{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7BCB6991AF0B19FA3F5CC1BE8C04235,SHA256=AC16803EF18D66A45FE7DA0B298E840457385C67EDE2541381CEF6CAFD5BC22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034841Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:33.706{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCBCC4F572B475BDD51A7BAE15B0B887,SHA256=B166DE6B515DF58368AD3AC29ED237B79FDBDF8FFCCC74D0D2FDC05BC7E4FD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:33.603{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39557D2BA72B40295929308EEEE4777,SHA256=5E07D0D4CCE6068B80D4B8BB96423D7824F4345014FD1EA999A2871CA6615388,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034840Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:31.122{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50949-false10.0.1.12-8000- 354300x800000000000000058909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.432{67EB100B-5642-61E9-4001-000000002202}5756C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62373-false34.120.208.123123.208.120.34.bc.googleusercontent.com443https 354300x800000000000000058908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.430{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local50725- 354300x800000000000000058907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:31.426{67EB100B-5243-61E9-2600-000000002202}2864C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local53161- 23542300x800000000000000034842Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:34.722{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE5D9C62B46D09C67F4B64497826FA7,SHA256=D17373F38824BCC55270A769C0CBD9164E6647B0CC27FC7DD217C4ED8696C159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.620{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3023E48F6BBE1C336F8D78601F3D81EE,SHA256=BF4290C01CE96620283FADFDD67912986BF35C21A6A1C4942E43ECBEAC3C803B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.367{67EB100B-5289-61E9-8900-000000002202}45246068C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:34.351{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-571F-61E9-7101-000000002202}6460C:\Program Files\IDA Freeware 7.6\ida64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034843Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:35.738{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB125E537EE48C8F4BF30E2E752DB64,SHA256=275A8173FA5C0BF4E18BAD7BFED2DE0C4930CDC5F7D9B11E6C3A3A57192B5B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:35.620{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9476676A5234FA93F2E47678CE5E55FF,SHA256=D481B5D6229C7312A527698021C510DE23BB9ACE3936C0011C3044E1BB216137,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:33.769{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000034844Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:36.753{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113F4CF7B89D6A964849B0EFC4CB6D79,SHA256=A9C4AB15992B0F504C1071EE78CB0FDFA89371014E81A3D7F05730012738D1B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:36.621{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=266F684E8DB2AB7E382AE5842C2AE4FF,SHA256=A472451EFE1BAC90A21101482A28BA46A2039B1F9D47C410CECEE333FD086160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:36.155{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\respondent-20220120121502-100MD5=8F9BF81EEEF0CC5FBD19D34ACA4D7654,SHA256=BDB857148A23C205BC97FF1DFCA28720A075C205934C789E9782C71AA2112876,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:37.652{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3415C05168E9123D48BF01276D392909,SHA256=AE0468B0F4E52088F270A0E68A9678AA7286CB59921808F77EDA5A7A86448C96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034845Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:37.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F326DF3B358F5AB8E87891F776BA0C,SHA256=6497530C3D776EF59E64514405C1ED96086D8AD17E1A0C24432F0D7818E75094,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:37.153{67EB100B-5243-61E9-2500-000000002202}2840NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0231120d92e8ee7ae\channels\health\surveyor-20220120121500-101MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034846Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:38.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A89428BB20E562590BA7FBDEC864A41,SHA256=C3B720CB32C9FB2AF9B076D9C551678A888B58889CD9D4D24EA9C7A295DAE9EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:38.666{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9E4D179B96796593D05CCC72492D273,SHA256=DF32AA97188199A57A77980E214949222409DC9E05E14525BA50C60C23F7A9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034848Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:36.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50950-false10.0.1.12-8000- 23542300x800000000000000034847Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:39.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157A3CD13273FF605AA768877A01A214,SHA256=7E649EEA57C2E97CF7E15BC63AB6B0564165F969BF2FD188237C6BE8A01E5236,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:39.681{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DAF52439B94675480160F166E28679B,SHA256=BDE9548F0976B2414AB658A47BC44515FD0B2FA38B284A0ECB6089A67739AE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034862Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.800{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D717978C237897C1A5EB3C5FC7766B7F,SHA256=735707AAB2067A1099D0A3A36C42F030D1D4A0893D12C47C9F956200CAE92B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:40.681{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04B807C8699D8DBA4F050C1CAE13F2D,SHA256=0BAA58E512D92D8DDFF3AFDD7C70000ED17DA0624844880DC8BF1857E52E85E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034861Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034860Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034859Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034858Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034857Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034856Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034855Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034854Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034853Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034852Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034851Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034850Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034849Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:40.738{8EF30467-6A90-61E9-4E03-000000002202}844C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000058927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:38.815{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:41.699{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9FFAD65DA4E463498FBF4E90C4F78F1,SHA256=CBC603896D02C9ACFB17DBCB90C86541296D59353AE504B1398FFA3F62E22784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034879Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4782544570FE3DAD83AEF567350D66BC,SHA256=B1FF78F7086A37712EFBD4E02092A79403BC9317068AEB0BBF64E3A71543E709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034878Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8123F2680799AAE43579086DF33B8A7F,SHA256=B4F5BF2C80EADF590D05C517CE36EDC839FD37BF7D6D62B94456B0A166E4BD49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034877Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72A0126B604BA99285C6A71A3AC391E3,SHA256=E7990D7522E76EF6CE92764F4805B33AA27504FC729E63EE18A78033FBEF9C62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034876Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.597{8EF30467-6A91-61E9-4F03-000000002202}3228748C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034875Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034874Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034873Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034872Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034871Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034870Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034869Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034868Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034867Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034866Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034865Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034864Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.409{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034863Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:41.410{8EF30467-6A91-61E9-4F03-000000002202}3228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:42.719{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77297DA7480E54145951CB4068D5FE96,SHA256=6AB30E14CB2B105E9769F3E4D21B68ECB70594A1D917FC6AAF3904D292FC871D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034906Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034905Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034904Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034903Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034902Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034901Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034900Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034899Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034898Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034897Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034896Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034895Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.847{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034894Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.848{8EF30467-6A92-61E9-5103-000000002202}932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034893Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1ACB12EDC4EB6DD9A67DFAAD62D23A,SHA256=8420152C70A5E5BC0A5512611BF47764B0C9F4813B2E68BFCFBFE8E5F63F2B9F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034892Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034891Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034890Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034889Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034888Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034887Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034886Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034885Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034884Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034883Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034882Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034881Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.081{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034880Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.082{8EF30467-6A92-61E9-5003-000000002202}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034909Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:43.831{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22EC7F2961405A618B4D69BBF723E05,SHA256=FED7342E36A82550AC8BF6E84D11BFE25A507CEAEA6D8EC8466CE32A155C9E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.765{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E50B639241E1CE7BCB82069FF42D471,SHA256=25B7C0BA8585C8B73BABF58482F0BB61B9542681B5EC32E66561DA30901AE2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.765{67EB100B-5232-61E9-1100-000000002202}636NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BC66B377C225DBFD7E4144228F92A6A7,SHA256=09FE865BD83FE85B29E6BEEA687691AE155AC9D337FE2FC1EB820B154D7D6600,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034908Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:43.222{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8123F2680799AAE43579086DF33B8A7F,SHA256=B4F5BF2C80EADF590D05C517CE36EDC839FD37BF7D6D62B94456B0A166E4BD49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034907Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.988{8EF30467-6A92-61E9-5103-000000002202}9323708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:44.980{67EB100B-5642-61E9-4001-000000002202}5756ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\7iz75hwd.default-release\datareporting\glean\db\data.safe.binMD5=0B6CE15C1C43BFD6156C5F9D8620A6D0,SHA256=70B383AEFECD01A33BCA3141F61D34C9967F3A5B24ECB469F2F97B183E3FD77F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:44.780{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4B75C10453FB909E1BD87B2E1B88A6,SHA256=A4FEC8D000B622E0C367F6329FE3E5FF6BAEE6AA104886DFB2A5817BD164FA39,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034938Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.800{8EF30467-6A94-61E9-5303-000000002202}16562412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000034937Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:42.121{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50951-false10.0.1.12-8000- 10341000x800000000000000034936Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034935Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034934Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034933Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034932Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034931Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034930Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034929Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034928Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034927Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034926Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5220-61E9-0500-000000002202}412528C:\Windows\system32\csrss.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034925Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.597{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034924Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.598{8EF30467-6A94-61E9-5303-000000002202}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000034923Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.316{8EF30467-6A94-61E9-5203-000000002202}1316984C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034922Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034921Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034920Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034919Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034918Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034917Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034916Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034915Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034914Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034913Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034912Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5220-61E9-0500-000000002202}4121048C:\Windows\system32\csrss.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034911Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.097{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034910Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:44.098{8EF30467-6A94-61E9-5203-000000002202}1316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:45.798{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82EF1AD4B73A564DBFC45943B602460,SHA256=92098C294C65FAE4F7DAEBBB433866806A73705BC689FF690538D9870E5B95E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034940Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:45.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=606FC18761E157F010C5A7C127C80BD8,SHA256=325C20947A9AAE4D474E7CD37F8A0190BC433F18085C7B7EC5DCD08BAB6DF43E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034939Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:45.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5326E399A10E36920D14DD5A994E64D,SHA256=4330AD85571B463CE9413A8E14CA109A13560960CFB0144302C7D139790045B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:43.951{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:46.817{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1921FD57F3714EE41B13BC2E80AF60D0,SHA256=34E951A71758179056F708C75ACE24635392D8C4BF4C43824D8CD3E4E9FE4AEA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000034954Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5223-61E9-2B00-000000002202}28282848C:\Windows\system32\conhost.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034953Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034952Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034951Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034950Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034949Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034948Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034947Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034946Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034945Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5221-61E9-0C00-000000002202}728860C:\Windows\system32\svchost.exe{8EF30467-5222-61E9-1E00-000000002202}1976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000034944Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5220-61E9-0500-000000002202}412428C:\Windows\system32\csrss.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000034943Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-5222-61E9-2000-000000002202}20203728C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000034942Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.941{8EF30467-6A96-61E9-5403-000000002202}3912C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8EF30467-5221-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000034941Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:46.238{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A6780EA351101ECB1F1ADC078999A5,SHA256=292BE95E175CBBDC804B0EB53954A06DAD63EE02027DB86AFE8B7F2DC03B60B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:47.832{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0FC8155C5AE0E553A06CA6C8AC33837,SHA256=5C309528ACF70C7EFB3522BD8DBFC8EA6B943884A86DE3D393682AF686B8AAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034956Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:47.972{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F36E13F6E81E366887EC776F253A3089,SHA256=EE32F578D03D9DA77024E08B025863EA680824011FD9A295224E259F78F86774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034955Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:47.254{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BEDE2A1B4035C82B370B29FC9D46C8,SHA256=15B9A802914F18A1A1E2F6CFC46F2058197CDA94896D1923DC7A78E10A597F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.863{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6775C31FD3FCAC086C85C849E69F7786,SHA256=9D60820BB92C556856F8D92F5F1BF699F9F65CB5667273E0C17731E26234D0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034957Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:48.347{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F131ADA4A8B22185169125774B7262EC,SHA256=EBA72C0AF4B926884FE62796562B12230EE8026EF9E20B970A105C0805B7A156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.316{67EB100B-5243-61E9-2A00-000000002202}2992NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:49.899{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B06C4CD841BA5605EF962DF5BBDA834,SHA256=A0E9DC71FF6D58595A78942112A3ACF29BEC285A21E8CADC37438A2D48C0A629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034958Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:49.394{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A329388592872BC692812F63A1F73EC9,SHA256=996963ADE0E83D9C5DD089192C61FBF0AA59D245D8A1AF3BCD7A51CD362546D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:48.028{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000058943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:50.930{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA2D5A6E1C7C368AB743A248894C0FC,SHA256=2A5419745295C5D730C6EC6173048BC36660F6C7E87A4ABE565CFB7ED4C77BC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034959Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:50.409{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D023C764F3D3478236FE88AE0416D02,SHA256=61E4390002059450819938D744C5323E852C6DB2BA7BEB88FCEF3CFE566BD450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:51.931{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D742A646D5D9F6326094F9B44E3EB0,SHA256=15198D3065613D809735EB883D4F089C7D5C8F0BC45016F8B8E1C7296A274ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034961Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:51.425{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C60D475200CD93FAA7F6CF0B7CF2B7,SHA256=B1542BF774BA38B716C0CB4D06B14B094D13E13A067FBB87A916B2A733DC9B0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:49.779{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000034960Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:48.169{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50952-false10.0.1.12-8000- 23542300x800000000000000058946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:52.932{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA5FE585070D0AE9263565A0E46BD85,SHA256=FA55339FB1C19F46755B60E40F727D53571BAE95843CCB8EA72B2258B0DED93B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034963Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:52.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B1207BECF58974068861D70FF7175B,SHA256=F8A649CABE72BDE81B70A056FE0709B0E2F058BA86817B5EEE78FE13DF4A0B05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034962Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:52.253{8EF30467-5222-61E9-2000-000000002202}2020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D436AF652A33B7D06FAEE8F888192108,SHA256=D76038C381859681D8335FD4E07B206A8BF432D2938CEAE5F3738101625CBCCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:53.963{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51B96D767AAAD73865B197C2DD3408E4,SHA256=C1EAF79823CB4F71F3EC8C9FE8A72DA404699D2889D8CE6F0DD39267E2A7F101,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034964Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:53.441{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04240ED31AC51A4C34D4E6ACE3A436B2,SHA256=B9F028BD73BB69B4E82F103CB168389E18952FB07351FB4A3470A9A1B0DF0A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:54.964{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBD3E5467B80E50AD49FABFE85C3D722,SHA256=34959F9FD6F61FBC1C344A51B5A5C4E4B03126CD0919ED3AD2F316B19CDD85C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034966Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:54.534{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79CF9C152A05D876898BAF7CE7E06853,SHA256=40F7A4A39DEFBBF10983493303755C90AEA09E0EE3BC3D0CCC90D45F89B95259,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034965Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:51.309{8EF30467-5222-61E9-2000-000000002202}2020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50953-false10.0.1.12-8089- 23542300x800000000000000034967Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:55.597{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EAF34553478478B77CBD3900AAC5F35,SHA256=38F6E847BAC33DCE179952AA3A6F5E4F8B0B16D78DCE98957173B5FA393EE034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034969Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:56.628{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=635BD32392D64615CD2B47AAFBED806C,SHA256=BF76476EEE2FD71B86DD9CFA1DC252A81742E12519249947DBF28D52D3EB97ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:54.814{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:56.018{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=098E708319F983E31612845CA442939A,SHA256=EE39B0CE570644071DDD50F69D35637BB5F6157CA99D5365D123B13D52FFC366,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034968Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:53.293{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50954-false10.0.1.12-8000- 23542300x800000000000000034970Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:57.675{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B089F4ABA9F1CA001EF1BFFBB6B1F85,SHA256=9FF6C512CCC824551181DBC9DEDC3B183C024D8A6D29C1A73F19CA5AACE430A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:57.879{67EB100B-5232-61E9-1400-000000002202}10641184C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:57.033{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC791C3C5EA0D81E43A6B1B74D814784,SHA256=45C77B93BA6445FC7FCB67CA4B597927621C91D3055D3A24F59F611FC7D0F83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034971Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:58.706{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3399809668E2289FEB80ECE5CE469F9,SHA256=1A15E7B00C01F2062968499E50135032BBE69A339522404EFF09BC203E8783C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:58.048{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911E04D00CCB4828DD0E994FA6297A90,SHA256=6EC8C713A2CB39A47938ABEC2F29ACE64A7F60A3860D17E196A98F6CA78117BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034972Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:59.769{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B875398DEF724FBD8E8EFA689E5077B0,SHA256=1F0C2F2088F878E0A9DF6E6947F1B8FDF6EE28626854EFEFDBF9DA964E7A9EAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.933{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.902{67EB100B-5289-61E9-8900-000000002202}45247104C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.897{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.896{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.880{67EB100B-5289-61E9-8900-000000002202}45244732C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.834{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.795{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.764{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5286-61E9-7A00-000000002202}12643200C:\Windows\system32\csrss.exe{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.732{67EB100B-5289-61E9-8900-000000002202}45244724C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\7-Zip\7-zip.dll+545c|C:\Program Files\7-Zip\7-zip.dll+67e5|C:\Program Files\7-Zip\7-zip.dll+6fbe|C:\Program Files\7-Zip\7-zip.dll+70d9|C:\Program Files\7-Zip\7-zip.dll+8e20|C:\Program Files\7-Zip\7-zip.dll+c301|C:\Windows\System32\SHELL32.dll+80267|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+17c29c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284513|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c540|C:\Windows\System32\SHELL32.dll+1799be|C:\Windows\System32\SHELL32.dll+736d1|C:\Windows\System32\SHELL32.dll+765b6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15 154100x800000000000000058955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.728{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe21.077-Zip GUI7-ZipIgor Pavlov7zg.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Temp\" -an -ai#7zMap2422:50:7zEvent10910C:\Windows\system32\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=300B8E1F636DCDE7269EF18600493819,SHA256=3AEF7662DCDBBC952A3ECD3677DA943EF3D4AECB5BD624625B6B176B1B5CE617,IMPHASH=C60649CDE63EC51599F93CD2D0157322{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.079{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1578E274C5E5AD352E67E7AA13E4C8FB,SHA256=452861579AD0EC96C6C9C8C4630813A5FB9717D6BC174552C899EB3A2363E6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034973Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:00.784{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D4FC5D6A45B803D35EDDD2A6FC4011,SHA256=5D829FC92EC59B2433515447866BD0503CE9AD17A495BA884BEA0D24B6A24DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.718{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C19BDDF1DE28F1A5BA05EAA98D1BFC9,SHA256=1D593F9083B515A6A6BE2E9479291EC17A3F1488B29463FD2193B463C69ACCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.718{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7EAB7F9C97238B996A99B875B7C6DA53,SHA256=F710B5BC1D846A69C6DDF865CC968826756BB027F3FECB92B562C58EF0E1D426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:00.534{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8B00C83BC0EB38EDB2D07C73C31B30,SHA256=C928F5F464435F204062C24739BC2387FA494A5F6AF96140B8EEE90062D35A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034975Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:01.816{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C4CF631E6DECCC70CD31C637688B24,SHA256=34ADC1B1815238796D8E0E960CD6627478355546836BE163887238F8006DC6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:58:59.851{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:01.549{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E9A225CE3674F70AFCC1EC611AF6A53,SHA256=9F1FA8E8B1A8BB73764A3DEED57D786EA2A21848E5852D1CDD9E0BED5E168D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034974Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:58:58.309{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50955-false10.0.1.12-8000- 11241100x800000000000000058992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.localEXE2022-01-20 13:59:02.583{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exeC:\Temp\AdvancedRun.exe2022-01-20 13:59:02.583 11241100x800000000000000058991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.583{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exeC:\Temp\Nmddfrqqrbyjeygggda.vbs2022-01-20 13:59:02.583 23542300x800000000000000058990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.552{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A5C52F947B97ABD38673CD61D062E2,SHA256=5A065363152C2057E1127F1F33461CC004283F5BD2EF5C8992B73C645E3C7A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034976Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:02.831{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F3DA82F8A8F5124132774E25EC33F6C,SHA256=A6FB90177280C887007B0E12FCBBDAA34940D33F12985A71DAD52ECB744F6815,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:02.434{67EB100B-5289-61E9-8900-000000002202}45246624C:\Windows\Explorer.EXE{67EB100B-6AA3-61E9-CB03-000000002202}1436C:\Program Files\7-Zip\7zG.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034977Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:03.847{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE2940D50755BA45EB5D00178201F1A,SHA256=ABD4CE27ED36121C9CE840663EE273FDC1CEEBD2E731DCDD90B0201667EB7964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:03.582{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21A475F98F291BA0EAC66A624FDCEBD2,SHA256=E04872A41E316BB3026711988D17C4AA58AA127F2A53FF2A6A4E56DD6A306EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034979Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.877{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D6E7C1BD9E1ED8504051204291E4243,SHA256=D9A039002A80A9C763589E6DE966294691275A3B72DF6F1A94D24F818BFD547C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:04.600{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE3F371EB1095BEDC8EAD2087878D68,SHA256=56EED37E6D62A637FFB605AD8B5C33978E71ADC6A7BC29E4271EE2944E515320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034978Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.366{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\respondent-20220120121429-101MD5=9C7CC3E13423C542C468574212C91F42,SHA256=598A0B94AA34B4E0F57831480B3ABFCDA89CC50178B87C4D9085997CAB025298,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034981Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:05.891{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADE2B0E2644F3BC5E739AA5AED4F7BE7,SHA256=7F2CEDC4FB08E999A49E8D9EEAFAD2B65F449ED996F09002E15D25FFD2595C3C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.949{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2022-01-20 12:21:05.008 23542300x800000000000000059007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.949{67EB100B-5289-61E9-8900-000000002202}4524ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=EEE00754C9392DEB11727F8F86B36E3C,SHA256=AEEDBFF9564A83F060F7D04DD9F85DA5F2F133824013C8383B967E6F0F88D93A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.918{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\Nmddfrqqrbyjeygggda.vbs.lnk2022-01-20 13:59:05.918 10341000x800000000000000059005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.865{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.849{67EB100B-5289-61E9-8900-000000002202}45242072C:\Windows\Explorer.EXE{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.847{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.618{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F41864F2FC0B9BF0FCB4CFA61D5992C9,SHA256=388F6CD5CD0DFC49A3E402166C62E261D9A40A63D94F89202943267EC4990C83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034980Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:05.394{8EF30467-5222-61E9-1D00-000000002202}1936NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-08eff906c3b0b2aeb\channels\health\surveyor-20220120121427-102MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.962{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E1AFFAAEA8A6E86CABAC953CE3DC60A,SHA256=61787D8EAC9D933CF6E5318BFEE6AE9CB083551E1992A102277B49433D486BED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.960{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AB54A74B6C9D35F0E76F7800A5ADFF,SHA256=6046B04FBBCBF1D8BF332E1B2901E89CAD04B6D089FBD5554991787CAE2906AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.960{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C19BDDF1DE28F1A5BA05EAA98D1BFC9,SHA256=1D593F9083B515A6A6BE2E9479291EC17A3F1488B29463FD2193B463C69ACCC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034983Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:06.892{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CACB0DAD94AA008F2C3B5666F6947756,SHA256=D7120D3F5C7CED907669D0C7AE7C7E6E06566ADFDE771BD3A3CC24CBC61CDD67,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034982Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:04.324{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50956-false10.0.1.12-8000- 10341000x800000000000000059022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.329{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.149{67EB100B-6AAA-61E9-CE03-000000002202}64445932C:\Windows\system32\conhost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.133{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAA-61E9-CE03-000000002202}6444C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.118{67EB100B-6AA9-61E9-CC03-000000002202}18123516C:\Windows\System32\WScript.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb4e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.119{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\'C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" 10341000x800000000000000059010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.102{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:06.102{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AA9-61E9-CC03-000000002202}1812C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034984Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:07.923{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332B163034C7C6DE7353CEF56EB9F3D5,SHA256=67C8E8086EE52BE2914AF537993F477D4E49F9ECA0BFEB37AC0E2F3488E2A450,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.606{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.606{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.553{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.553{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000059031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 13:59:07.385{67EB100B-6AAA-61E9-CD03-000000002202}4960\PSHost.132871607461199642.4960.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000059030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.367{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ys0i2cgs.vud.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.366{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4wmqcbvn.ekx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.221{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4wmqcbvn.ekx.ps12022-01-20 13:59:07.221 10341000x800000000000000059027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.199{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:07.192{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAA-61E9-CD03-000000002202}4960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000034985Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:08.939{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F1DB1D10C2DD1CBDBE12B0BF1FA49DB,SHA256=68A2AB0C986FF50A7A6872465B88A0FDCB84B31A9246560C0E51531E42708E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.974{67EB100B-5289-61E9-8900-000000002202}45246700C:\Windows\Explorer.EXE{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+18ce6c|C:\Windows\System32\SHELL32.dll+18cbc3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.976{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=95B2CC3A306C4C1059A53B660096F0A5,SHA256=8B2E206D1F6B510AD73C7541C03F39F9E4DDD7E3D1B9E31F3C8829C64B42E075,IMPHASH=661A40859BC6D47752E9FC5E02C1862C{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 354300x800000000000000059041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:05.814{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.428{67EB100B-6AAA-61E9-CD03-000000002202}4960ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.212{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=819F6A5163C7D89816EFB8D66FBAA0A6,SHA256=43B9E041D6111AC07F8716AD75ADF30F2C6716C5E6A03909EF9D1D2FA4F5DA62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.062{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5E166280007DF3483DE33499D4478BF9,SHA256=5C06419BF2A2B5B0A45159A3C6362D0889F21C103CD49E358733CE837F4498FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.043{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6D048F8D36EC0B07BD88441FB0DD74A,SHA256=517549FBC9E891D956A22C0D50F340ECA0C1470774FC2D6AEEF4D60F0B669ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:08.043{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FD77F3A499E003FD76DB77302BD696F,SHA256=3ECB833E93671C22F59A3D4243A5C013492FC261EA5BBE781B6A9AF6DDD71F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034986Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:09.970{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74664B6EF777AC7AB410E6247D3D2F5F,SHA256=8CBE12DF3D105DD6A6163838E533C2B721090AF6FF48A02890DB851C1D16F073,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.997{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D482C6B1C58D336EB2AB802D4EE6C581,SHA256=49B7B79321EEF830859F697EFF699B9471BBB1FC4A236ECEA6BACB70FB68EEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.994{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E1AFFAAEA8A6E86CABAC953CE3DC60A,SHA256=61787D8EAC9D933CF6E5318BFEE6AE9CB083551E1992A102277B49433D486BED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.491{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.491{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.427{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.427{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000059073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-CreatePipe2022-01-20 13:59:09.374{67EB100B-6AAD-61E9-D003-000000002202}1920\PSHost.132871607492006182.1920.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000059072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.358{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_yurzwqro.l0y.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.358{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0esiqs3u.suz.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000059070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.327{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0esiqs3u.suz.ps12022-01-20 13:59:09.327 10341000x800000000000000059069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.311{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.311{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.290{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.258{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BEE7AF458C205525FEC759E8FD16D31F,SHA256=C1B56D180ABD84501EFE1AD2DB0C697A6E37A2D52A4597CFB2E53659EB99A396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.212{67EB100B-6AAD-61E9-D103-000000002202}51045804C:\Windows\system32\conhost.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAD-61E9-D103-000000002202}5104C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5286-61E9-7A00-000000002202}12643096C:\Windows\system32\csrss.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-6AAC-61E9-CF03-000000002202}25046104C:\Windows\System32\WScript.exe{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\SHELL32.dll+3ccff|C:\Windows\System32\SHELL32.dll+3cb8c|C:\Windows\System32\SHELL32.dll+dcb4e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.200{67EB100B-6AAD-61E9-D003-000000002202}1920C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath 'C:\'C:\Temp\ATTACKRANGE\Administrator{67EB100B-5288-61E9-FCE4-070000000000}0x7e4fc2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\wscript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\Nmddfrqqrbyjeygggda.vbs" 10341000x800000000000000059054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.196{67EB100B-5230-61E9-0B00-000000002202}648784C:\Windows\system32\lsass.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-1600-000000002202}12881856C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.112{67EB100B-5232-61E9-1600-000000002202}12881328C:\Windows\system32\svchost.exe{67EB100B-6AAC-61E9-CF03-000000002202}2504C:\Windows\System32\WScript.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:09.074{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA766548CCD3CDCD12AB3DB4CE1CD4F,SHA256=5A6CDBDAFC522D3A4690938ED353FD6CB1F9594763D4E5C3DBD4586102137A82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.350{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1ED9CCBD7DDF1D4D8B957A535776FCC3,SHA256=DE6B8506871556941D5CD0AEDC31080B533AE38A6354EB58C3D4CD1C08A94F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.284{67EB100B-6AAD-61E9-D003-000000002202}1920ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.268{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F4C04AD5FDB108EB2EC1A6EE9252799A,SHA256=532D9FB52027A7B71D80DA211A6C2937F66B35A8B8736799B4CB2A2185088F78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.200{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A65B63B464345F39B7F567DEEC470D2,SHA256=76A3C830347CF4642B06549955D4F6EEC5E1959C6C31B9C0F41E8B73AE84455F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.022{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BAE6EEC46088269A2C2271F7FB60036D,SHA256=C8FEEE934C85DC7885A355B1F977146FDA8E1194C4BA62F43B9B674A4321A470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.232{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.085{67EB100B-6AAF-61E9-D203-000000002202}2244C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.201{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA7D38CBDA2ED339F4A5138BB23D7D9,SHA256=9ADAB985B5D6AFBF96EA38BF2FBD9003605D8CF6C571F04B26CD764D291D706E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034987Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:11.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C42E9A25EEA25FBE254B931F2856F0,SHA256=2DD771D2B011941873F7E654E95A966DE3DACFE2E869E79D0FC9AF9766735CB3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:10.864{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000059104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.482{67EB100B-6AAF-61E9-D303-000000002202}17325404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.267{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A30B133D7025269EC716FA30DEDA19,SHA256=066D49C3B1D82A39C234CA965F8A4B77C82D75FF7C3D69C1DA429B4F7FE190CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034989Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:10.119{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50957-false10.0.1.12-8000- 23542300x800000000000000034988Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:12.001{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DFB1F76E1FF7D7DC0DF1D95142F29B,SHA256=872C1651AE043935D265F5014C6B9BF7827C0A81E88BB84A57F6F19964B8200A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.145{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.138{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:11.949{67EB100B-6AAF-61E9-D303-000000002202}1732C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:12.093{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=619C5EF591B65F0E17589518E740B13A,SHA256=A7535548E320615A9733BDFF09C4FF136090D121BEDDB94CBF4782BED4EDE43A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5230-61E9-0500-000000002202}4161776C:\Windows\system32\csrss.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.399{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.200{67EB100B-6AB1-61E9-D403-000000002202}6500C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:13.268{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B178D97226C78A2A5629D8F0CF90CD76,SHA256=AFDB269C8D36C833A2FDF903CC78080D176D9F7DE3C0EC754FDAD9CEEFEE4CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034990Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:13.048{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB77D640851FA65BDFE7F91272D6FC7,SHA256=09FA5E4200DB56CCA012C78DADC46A9146DA5BFF9C946BDF25772E68299E7531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.468{67EB100B-6AB2-61E9-D503-000000002202}46404476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.299{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.283{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201C513BC24F10C998AEA2F7962437E2,SHA256=604006FCDB1F00663203DAB8304B268E25D8F33EB19F471DB1308F15C73E5939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034991Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:14.110{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F6798E154B10DA0DFFC881D0B31869C,SHA256=0F043017F0C943A0C7431FD46FE017AA3885BA93C3C076A911D81F400407CC3E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5230-61E9-0500-000000002202}416432C:\Windows\system32\csrss.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.230{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.084{67EB100B-6AB2-61E9-D503-000000002202}4640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.214{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3968D5164841F97116BF82D7D1C4F179,SHA256=18FFBB1F2A393528507C7564B92892D6A60135BAA66CD36BDC91D621F1CB9395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034992Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:15.126{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018E7DFFDB6E8D1A902AE04545327FD5,SHA256=98B3A2B277A2C8012EF35CA499EE4C096A4EAE89391B221DD09C64005C15F0E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.984{67EB100B-6AB3-61E9-D703-000000002202}67206708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000059147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.363{67EB100B-5230-61E9-0B00-000000002202}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 354300x800000000000000059146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.363{67EB100B-5243-61E9-2300-000000002202}2824C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local62383-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-957.attackrange.local389ldap 10341000x800000000000000059145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5230-61E9-0500-000000002202}4162384C:\Windows\system32\csrss.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.815{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.816{67EB100B-6AB3-61E9-D703-000000002202}6720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.637{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=62CAC9F459E206CDA8B5103FDAC527E2,SHA256=0FB4035378DA619AAF1E69D95393D5E659060B82AF5AD862FD42452F1A77416D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.410{67EB100B-6AB2-61E9-D603-000000002202}58445524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.295{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7585769806C8DD8B1855F7200E1E7502,SHA256=6F8290F9B39BE094530E752342963202303B0C67B588A97F542EE1F71F115AAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.124{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.121{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5232-61E9-0C00-000000002202}8644372C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.120{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.119{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:14.947{67EB100B-6AB2-61E9-D603-000000002202}5844C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.836{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FDFA2A607ED631B97426DF37D57B7486,SHA256=FB1A718D5EE410B3CFB64D0E5C071B6DB3ED00FF94E1D8523D1890F278A12B60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.384{67EB100B-5289-61E9-8400-000000002202}41764244C:\Windows\system32\taskhostw.exe{67EB100B-5289-61E9-8900-000000002202}4524C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000059149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:16.368{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A787D55F7FE909F5CCC07FFDDDE682E,SHA256=687782E385B70BC2F45F859FD12CC278E57BAA35FA8C2124F9A2C2E0EB2AC9C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034993Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:16.157{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6069B15418412C4DB3702FC4F3BD8D5B,SHA256=CBE88EF301555E07EC3F8BF08211C772589032C3255EDE7EFC888A7AEA578E41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:17.368{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871C16216C4CE1761C75B9E0A35E7E79,SHA256=178E85E1C59FC6955E326DF3C9F3A2FA6ED1A51C167A9A1CB1E5146E76D19F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000034995Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:15.244{8EF30467-522D-61E9-5B00-000000002202}3876C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-532.eu-central-1.compute.internal50958-false10.0.1.12-8000- 23542300x800000000000000034994Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:17.173{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94E9452E2AE868B83DE68205F8463F94,SHA256=8DAF323E2B621EF77AD01AFE1D316E27A6B17EE27BE3FBA4F863ABF992664E0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.638{67EB100B-5245-61E9-3100-000000002202}31043124C:\Windows\system32\conhost.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5230-61E9-0500-000000002202}4162448C:\Windows\system32\csrss.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000059160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5232-61E9-0C00-000000002202}864968C:\Windows\system32\svchost.exe{67EB100B-5243-61E9-2400-000000002202}2832C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000059156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.628{67EB100B-5243-61E9-2A00-000000002202}29924020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000059155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.400{67EB100B-6AB6-61E9-D803-000000002202}7052C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{67EB100B-5230-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{67EB100B-5243-61E9-2A00-000000002202}2992C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000059154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:18.383{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AB2C0C15228E340039E0491911465C,SHA256=095D417D7516C49313B78E3B3E216D012F9F418F3E049A91DEEAD54C76FCD47F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034996Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:18.220{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E5118BC4F698803201AC1A1F9CC6931,SHA256=6F89E4838B1A173F83D68FD7DC6CD171D2AF6F63F16E67E8F2AFAF62529ACE14,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000059153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:15.902{67EB100B-524E-61E9-6A00-000000002202}4008C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-957.attackrange.local62384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000059164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:19.410{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FD99FD952BBB9FF9334BCA85641A9A,SHA256=EB4D3D514E694E29403B1333B8E033FF87E1D71324696440DC661F19F5A79477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:19.410{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48ACF31198B8F0195F92AC8A42C7A2CF,SHA256=52A24207AEA648D8C3F95F14FF7C0C7DC9C2B8924444CFC45F9107B3627AB092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000034997Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:19.235{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D49286E20B2E969E3C1EA44982390C1,SHA256=879506B80AF0932E2379182F7853A2FF3DCDA1993545AE21BC9415AA4E111017,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000059246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.832{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=001E8080F2B6A9B81E0A1F88E3E05A50,SHA256=F74E922C91D5CCC73D8E44A120BA86D2A677B3CB1361FF3A0E3067DF48DF9DB8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.785{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.783{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.780{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000034998Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-532-2022-01-20 13:59:20.251{8EF30467-5235-61E9-6B00-000000002202}1840NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44B36F3A605930CCB54A26F96C33299,SHA256=F76D22DB60168CB3345B58D1E3EBDF5324F19E1FDAEC5D04677209F9480FFE16,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.780{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000059239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3D5C27D8C165397E1B859E7AED6D392,SHA256=F5FCD8EF7EED50F9D3D6CD02FC16A8DA33938CEA8FEFF279A98EE69E7ED9A601,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37087100C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082692C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37087100C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37081864C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082624C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37082692C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085988C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085988C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37086660C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37086660C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085884C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 10341000x800000000000000059225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.761{67EB100B-5288-61E9-8100-000000002202}37085884C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1e1d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1f63|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751 23542300x800000000000000059224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.748{67EB100B-5255-61E9-7300-000000002202}3264NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD922469C626E4CC025A1E83E8504F5,SHA256=2414AFC2DE3D4192C89A0C292F4D45441DC115DCE3364A9706CAA909BC1E4ECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000059223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37081684C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37084152C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085076C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37083048C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085616C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37085168C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086648C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7 10341000x800000000000000059216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-957.attackrange.local-2022-01-20 13:59:20.729{67EB100B-5288-61E9-8100-000000002202}37086768C:\Windows\System32\RuntimeBroker.exe{67EB100B-528A-61E9-8A00-000000002202}4812C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1535|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+16ef|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a243|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C: