23542300x800000000000000031594Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:12.907{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7BA12C2A0CC2B176F326D040C13689,SHA256=9E8F9C164658AD80C33BB863DBC52C06ED34FB6E6B085B722F11168FA140C913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:12.293{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4AEFDB8E48705AF025292A46A581CE,SHA256=E6FD00DA6B5535D1A3351465652EAF66780E2DA5DE5AE33D977BEEC8CC16B0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:12.191{6F5BEE90-18B8-61E9-2900-000000002102}2920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0571bb7ceded66ec2\channels\health\surveyor-20220120080928-144MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031595Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:13.907{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3496DCA61D61388F81F62A3CE6599F6C,SHA256=F7FC3D982D511A3C1382F5D5A4D3CC086DFF46FEDC6759098E6F34EAA73AF0E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:13.311{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53CC0891C252879AFCC6E1A20E6CF538,SHA256=562DB87A99FF2D87B1340D6DE6349E7F39B08757B07BF7FC451AF96578C9D844,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031596Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:14.907{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D4CFCEE770B16900600A985A2D86DD,SHA256=B12EB030CCA9DCAA6267C4611F8D1A23F41448A3856B76497CB4DB651BD77E2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:13.406{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:14.326{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFD53B110C607E66F29B1B2CBBA4F3E,SHA256=000AD091C0AF51FEB4E899F69791077267258C8571FFE4220C86ACD81F5514C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031598Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:15.907{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5CCF6D5AA27BA65E0C6BC3E0DC8DA34,SHA256=D9E6BE76D04FBC4646320117D36B7C4CCA0DDDE84BF9BE20EEB979FF4CA5EFFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:15.473{6F5BEE90-18AA-61E9-1100-000000002102}480NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E6DA5D2E1C062D208AA03094E1FCD231,SHA256=93E2A7F3221E3F16C5C90304B56D13FC617C6144CB776A75BB9236CED8076934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:15.357{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2576587DEC5D1440988973E55F5A9188,SHA256=3DE147A30518E48E92501B7E78DF649D4CE3D493484B757DEEF9E96FAB199007,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031597Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:12.843{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031599Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:16.907{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC427D635193187D783CCE220D6DF218,SHA256=5A4655A0545A32C690B1C53F21DDDB459225DAF7D8629719DA4624248247D574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:16.358{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D0675840560726E237339B2CDB7619,SHA256=40DE2618376D2862E76102DA543DF4F4CEC1F7EF612FEC954F728FEC51F19F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031601Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:17.923{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B30510F5139B422CB4B7FEF80E2DE8E0,SHA256=AA604A03E0BE386B2ED95DA1FFED6E015BA0A8C8431ED6BCA7AA6E9BF3FFF1B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:17.369{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98DB39FA12B86DD57EF801F7960CF86,SHA256=15F747D21402896039926120671C5B32675C7AE798DF2BED0FB4D96671323ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031600Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:17.314{CE7C8936-1B12-61E9-AB00-000000002202}1912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9E11AA9F3452DB0F16F9E79CCD407159,SHA256=0B6123CF67044127245D77723D015AECD3385919E1F78356EC114EAF4F576866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031602Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:18.939{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81E9E81CC7F36703A4ED3BE4D66E500C,SHA256=B694516BDC280680E4C037D13AECCA1F301F790F31FFE4B823E2BB118521271B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:18.403{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F46A4E4F0A5E058ADCC1FE076A9A34,SHA256=C062A22DD77994F2FEF612B3B13FB066D46DCE852EB87202ADD8CE78C92F1A09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031604Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:19.954{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0696AD20901513AA3411E767D57E9DEB,SHA256=9BC5CB2F264E8BE630221D958A0B3DAEA33AEE65B8DD21F4E645E79074A2DF5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:19.421{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFF0E50498F47C346DBC3456F0A5113A,SHA256=4D15DA8CBEAF24E8354DB978E297CBDCE51EF848BEA4D264C9AC21CF55CC39A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031603Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:17.015{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000031605Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:20.954{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37AEEDCA9B98E355818F699E1CD3E804,SHA256=7E5B8B3272C5E5A3834EDD9BD444B961112DF81A4B17C2D80CACE6847D0F6249,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:20.621{6F5BEE90-18B8-61E9-2F00-000000002102}3024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9E11AA9F3452DB0F16F9E79CCD407159,SHA256=0B6123CF67044127245D77723D015AECD3385919E1F78356EC114EAF4F576866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:20.436{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A169CE73A55983397C3C97B346AAC13F,SHA256=03F071C1564693FE1404834CAA18A00D13BA0A1F051C8BED6542633659FEA3E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031607Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:21.970{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B53C7E5A02ED76B6E986183A320DC68,SHA256=E187798BA2D7606843E5F4ED7D9A7A2C942E63A1A587D8E6B5B31B5D1355EF72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:21.452{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D798AB551C1DAA300A339863447BD2,SHA256=A20F90D2BBC2E727028508847947970F5898A0B4C7F6572A895DD2240B8ABC9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031606Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:18.874{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000058047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:19.333{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:22.452{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E67AB4C6014ECC69F429231CAC8DD035,SHA256=9AA6EE243828E2F7EEA4D43F886D7D1E9F3C271D0F9286BA6522CD341BAE9745,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:20.894{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000058051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:23.467{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E60A69EBA717478ECADFD70C98AF148,SHA256=2242F665866724B0882C618C65C3474A44811ED02C3B5617B80A05801A80C64C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031608Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:23.001{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990903B1E55B655383343DD5AE3E9783,SHA256=59E91E758D815BED3240D2F7464B676C502E6DF911D53D0386CF0ACA1238D591,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:24.500{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24F68F01227878D2106BD0E49539227,SHA256=6E17A7C83752AF332766E5489455466C024602B6ECE7792F33243DBC36065B33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031609Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:24.173{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E333CF1BFDE2EFD60E1B4A4C8A8288,SHA256=3CE68F130A68B583DFB1FAFFCB51C8FA49A14EE783DC39B4431D3BDB18DF3FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:25.535{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=826D04E04B242CE1CBE84B222768F6E3,SHA256=3BBD3AE4CEE808BE97D8847110B900838C4DAC4E88DE74057D4058CA72182C20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031610Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:25.173{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB9216503E6EE722D8F3F2D804D7710,SHA256=34FB238A6461135E8DE26D7B2A5B0DB5D320D6345D5F35987EFF0A1C592BC3BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031612Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:24.812{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031611Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:26.189{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E72001A95EFA12DC3D5F1ECA0E717D4,SHA256=5F6FEF342A976B16EBDD43DC30BF55B79249DB9FD8956164A1C5ABAD277597D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:26.566{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B90C33B169D63D5DFE9C26FD49BFA6A,SHA256=670B45262580E93C90228224B62C9BE172375664395D0F70E222403608758A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:27.592{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4AC92E44A9EF8FB4EE32E859851333,SHA256=4ED1396C2F0E38E9473EAD21940EE3C615FA325FB06542AF1939EAEBC6E2F53D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031613Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:27.220{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AED5E3DD9DC6558A09190C6FA475871,SHA256=4AB1DD806218D0D1FA8F9A2CCF011912C43BAAFD81839E52B532C39698F9FD36,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:25.346{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:28.595{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FBE01C6B6B2E75D6122635D32763BD,SHA256=FA723B975C112BCE902BBA363B9DC17E9D9C4890166B8F3739F217D89CDADD1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031614Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:28.223{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85DA3F69BC25345A9FCD9FF6EDD7DE85,SHA256=D1DFD587E29D84D547DE8060206E763928A19866FE1669C7E9F9544FAF767C1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:29.596{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF3B16198FC16FA4CDB52DE98C60C8DE,SHA256=2516C4A16C269A53498DF6178D5C0B50E8000181D0A8B864C9968FD10D780EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031619Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:27.764{CE7C8936-1A7C-61E9-1000-000000002202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse184.105.139.69scan-03.shadowserver.org39764-false10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal3389ms-wbt-server 10341000x800000000000000031618Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.411{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7C-61E9-0B00-000000002202}604C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031617Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.411{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7C-61E9-0B00-000000002202}604C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031616Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.411{CE7C8936-1A7C-61E9-0B00-000000002202}6043324C:\Windows\system32\lsass.exe{CE7C8936-1A7C-61E9-0A00-000000002202}596C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000031615Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.254{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92845E5F4CD721788A028383B3AF410A,SHA256=6943290731ECDF0959EA13B8D2F203BB61FC995DF4E76055DC584C1BD7E39C5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:30.615{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9632DDC263F3B721E2CBBCB19CF5BAAB,SHA256=B9254CFBFDB9C82F787F173D28B3396A70D822897972927BF39B8E00A335F290,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031622Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:30.442{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=138581933C46B600CBAAAF2BBBEE00F9,SHA256=9E52A06F7BC66F5B755BCB56EA6FD9CCDF991E32DD62E2CEB2B477018D041CA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031621Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:30.442{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=26BEC39B4377DEAB9D32710BA5BAC2CA,SHA256=88B8D801F876FD98A6B29D69167111B8B0CB6462A1A193E4C44E36EAAF5C83D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031620Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:30.270{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32ABB42711CB8BEB7515929DA591BD61,SHA256=FA36BEF3DB6CBB2073AD0F46C2A08514EDC681631883AC131289BE228F6A4195,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031623Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:31.286{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=543282327C0AC2571D256502CF7EE600,SHA256=F1806AC586B7902BD141EF6F291603D4EE02492D5D39F024851A4FD7217559FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:31.635{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C96559D15D6F724E0E4E0A2765D7B28,SHA256=16ED8C2C743DEC8AFF5B14B8D1A5C15381242845554D393D9C8738EE820CFDC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:29.690{6F5BEE90-18B8-61E9-2A00-000000002102}2964C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal61601- 23542300x800000000000000058063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:32.650{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CB80DB9DA029C1EE41A9F9339540FBD,SHA256=E91FDF9F69570D2F025770C44494E0EAE7E97EAC04AB8DC124E55F8CE431AC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031630Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:32.586{CE7C8936-1A7D-61E9-2200-000000002202}1212NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b4c8a78fb3fad9c4\channels\health\respondent-20220120081703-136MD5=48D9DB22D5DA72E1508DB4774F89CD54,SHA256=47231F73915EFCF046725A41CCC183BD3625BDF28EF9197BB172C87CF7B7A72C,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031629Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.940{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x800000000000000031628Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.138{CE7C8936-1A7D-61E9-1600-000000002202}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal61601-false10.0.1.14-53domain 354300x800000000000000031627Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.138{CE7C8936-1A7D-61E9-1600-000000002202}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:c93:ffff:28c1:2307:1a8:ffff-60559-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x800000000000000031626Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.138{CE7C8936-1A7D-61E9-1600-000000002202}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:48df:ff2f:8220:4d8awin-host-tcontreras-attack-range-276.eu-central-1.compute.internal60559-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x800000000000000031625Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:29.136{CE7C8936-1A7D-61E9-1600-000000002202}1216C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:c93:ffff:28c1:2307:1a8:ffff-61601-truea00:10e:0:0:0:0:0:0-53domain 23542300x800000000000000031624Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:32.317{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A14B146599EACE67188B71625BAA9C,SHA256=5CC1F0B51203C803404373F1DB2844F24789E8B489F3132C2D6916BC2F9A0CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:30.545{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:33.665{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB2940C263CA03E08D4A3E464B15BA0,SHA256=B3F1D1A42FDCB67BB24DE14429DF5009AC2F9F2C90811DBF7B78C536B3464931,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031632Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:33.586{CE7C8936-1A7D-61E9-2200-000000002202}1212NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0b4c8a78fb3fad9c4\channels\health\surveyor-20220120081701-137MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031631Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:33.319{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6BDB387D68BCDF0C1624AC42F7CE84,SHA256=55A88817135C406E62665AB556A06CE4B3F135D7D94E6041B4B12349080B6F9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:34.681{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A141F370264E1BA78791858F5E11A0D3,SHA256=3DFD661D68F73556CD9DE4CC223717998075456DE40CE5BEF6324EBAED7F4464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031633Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:34.320{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2743CFEF8C58728C803D2B1DEF88E59B,SHA256=1C40BD8033C15E11C29BF8BEF0CD35213AB44B2FF9C058AA130D9ABF701833FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:35.704{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=379EE61A6BE9E769EE81FE0A1BE8D712,SHA256=84C0359BF7E33C847613B9F7AA503CF02DA0C8BA6F873CFEB0A828A4A16017EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031634Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:35.351{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D56F140C53B5E369CDB5A6F6FA7B91,SHA256=D45809AE3C858B6BC3FD2F6677A0A3A1B79E690E1EF128F44974FC8FBD73ACC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.727{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=743AE026BEB3D3C931D070E7EBEB29DC,SHA256=52FFA54AF5D4E332277858ADE35A733E0E0F590901D27DBE27322A22EF8C311F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031635Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:36.382{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CF65BD091E180830380400B5795B1F0,SHA256=441FB4D9722A7F780E93CC33AAB536016C46233E9A22C1CDF48E2921D041C156,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.588{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5509-000000002102}3436C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.588{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5509-000000002102}3436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.588{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5509-000000002102}3436C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.557{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5609-000000002102}92C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.557{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5609-000000002102}92C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.557{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5609-000000002102}92C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.557{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3AA2-61E9-5609-000000002102}92C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.457{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.457{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.457{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.426{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.426{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.426{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.426{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:37.742{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2102E8732EA3367CC3954281CFEE9B87,SHA256=BD3DCFBD8386C69396029C1EB6064124CAADC279D7596B3FEAE54585D2F26E57,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031637Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:35.849{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031636Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:37.398{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A36CABEBDDF701DCE30B4CD73178F3C2,SHA256=F6DDE2B7A2283E156DF18CF6063A19108B5EE83753D6154687CFC18D54E4DF90,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:36.483{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.928{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=639479FD1B06497CC937A57439793DFC,SHA256=C544D91D915A0A7FFBFD8656CD727C3A6EAAA6DDC5E4530B08C65DF9FF646D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031638Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:38.414{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E88EFF90393681A66B2D8AA41E1385C,SHA256=AAE17F2497EB6D96136405CDF1A3F604F524789E63599E4DB37324F421E02CC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.294{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.294{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.294{6F5BEE90-1B15-61E9-FA00-000000002102}46324588C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.294{6F5BEE90-1B15-61E9-FA00-000000002102}46324588C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.262{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000058108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.262{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x800000000000000058107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.262{6F5BEE90-1B14-61E9-F000-000000002102}49286284C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.262{6F5BEE90-1B14-61E9-F000-000000002102}49286284C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.247{6F5BEE90-1B15-61E9-FA00-000000002102}46325360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.247{6F5BEE90-1B15-61E9-FA00-000000002102}46325360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.205{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.205{6F5BEE90-18A7-61E9-0B00-000000002102}6085192C:\Windows\system32\lsass.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.205{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0D00-000000002102}8885904C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-1B15-61E9-FA00-000000002102}46326136C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:38.189{6F5BEE90-1B15-61E9-FA00-000000002102}46326136C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:39.933{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=496A76DCBC11746FA4759E377A1D6486,SHA256=35148C248AD022C9CB32575C38DDF860034353AD41CC6EF1EE3EA09AB736D8BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031653Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.882{CE7C8936-3B73-61E9-0306-000000002202}32841832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031652Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B73-61E9-0306-000000002202}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031651Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031650Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031649Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031648Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031647Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031646Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031645Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031644Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031643Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031642Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1A7C-61E9-0500-000000002202}388940C:\Windows\system32\csrss.exe{CE7C8936-3B73-61E9-0306-000000002202}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031641Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.742{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B73-61E9-0306-000000002202}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031640Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.743{CE7C8936-3B73-61E9-0306-000000002202}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031639Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:39.445{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0569408BFDCFC59FE0FBA64A9A4897E7,SHA256=505936728A4710DAE7177027F583A1C87333BB191F150DD692B9046D6B8212E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:40.952{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F2267BBB73A7F745E7B3791019D385,SHA256=05BC847F05C26035038D58C17D04D00367ECEEAF441F4E00C064949D35D2691E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031669Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.976{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446AA6A8927869A207F0721FAADDCD57,SHA256=0DB43471A1EA4C051AA12C41421E6CD507052120B23C3BF45A355F9112D70A2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031668Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.976{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9A563716E055571CF0E96DDC8076484,SHA256=0E965C11A2A2D731ADD6A237111D364708C144CE29D25EB3335149301ED21B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031667Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.882{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4397F3822F3F4FA2E647123F548C278E,SHA256=7BE614842D85251443D53099A2FB771BA148B8F5F2D270A49C2D19D2A0797ABF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000031666Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B74-61E9-0406-000000002202}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031665Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031664Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031663Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031662Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031661Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031660Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031659Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031658Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031657Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031656Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1A7C-61E9-0500-000000002202}388504C:\Windows\system32\csrss.exe{CE7C8936-3B74-61E9-0406-000000002202}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031655Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B74-61E9-0406-000000002202}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031654Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.414{CE7C8936-3B74-61E9-0406-000000002202}3152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031684Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.929{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D62731CEC13FC882019D67A4F086A2,SHA256=4F77553C7D23BD117B0D93197A942F08541D13B0F456C0F52AE084EE3F6864FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.968{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF20183163B89D646520780CC32D70E4,SHA256=00E103AE84EE2CA4E6338B886618D8C3BDF933F1619CAE0C8C5D1243C9C75D4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.961{6F5BEE90-18AA-61E9-1400-000000002102}10926796C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.773{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B75-61E9-6F09-000000002102}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.772{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.770{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.769{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.768{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.768{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B75-61E9-6F09-000000002102}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.767{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B75-61E9-6F09-000000002102}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.765{6F5BEE90-3B75-61E9-6F09-000000002102}6192C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031683Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.077{CE7C8936-1A7C-61E9-1000-000000002202}920C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse184.105.139.69scan-03.shadowserver.org44358-false10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal3389ms-wbt-server 10341000x800000000000000031682Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B75-61E9-0506-000000002202}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031681Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031680Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031679Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031678Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031677Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031676Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031675Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031674Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031673Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031672Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1A7C-61E9-0500-000000002202}388504C:\Windows\system32\csrss.exe{CE7C8936-3B75-61E9-0506-000000002202}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031671Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.023{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B75-61E9-0506-000000002202}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031670Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:41.024{CE7C8936-3B75-61E9-0506-000000002202}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031713Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.867{CE7C8936-3B76-61E9-0706-000000002202}29562216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031712Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B76-61E9-0706-000000002202}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031711Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031710Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031709Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031708Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031707Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031706Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031705Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031704Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031703Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031702Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1A7C-61E9-0500-000000002202}388504C:\Windows\system32\csrss.exe{CE7C8936-3B76-61E9-0706-000000002202}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031701Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.726{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B76-61E9-0706-000000002202}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031700Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.727{CE7C8936-3B76-61E9-0706-000000002202}2956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000031699Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.226{CE7C8936-3B76-61E9-0606-000000002202}36522380C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031698Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B76-61E9-0606-000000002202}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031697Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031696Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031695Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031694Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031693Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031692Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031691Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031690Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031689Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031688Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1A7C-61E9-0500-000000002202}388504C:\Windows\system32\csrss.exe{CE7C8936-3B76-61E9-0606-000000002202}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031687Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.101{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B76-61E9-0606-000000002202}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031686Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.102{CE7C8936-3B76-61E9-0606-000000002202}3652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031685Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:42.070{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=446AA6A8927869A207F0721FAADDCD57,SHA256=0DB43471A1EA4C051AA12C41421E6CD507052120B23C3BF45A355F9112D70A2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49286284C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49286284C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49283944C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49283944C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.950{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.919{6F5BEE90-1B14-61E9-F000-000000002102}49286680C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+b7e5d|C:\Windows\System32\windows.storage.dll+147646|C:\Windows\System32\windows.storage.dll+148fa8|C:\Windows\system32\windows.cortana.onecore.dll+1602f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x800000000000000058163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.919{6F5BEE90-1B14-61E9-F000-000000002102}49286680C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+b7e5d|C:\Windows\System32\windows.storage.dll+ba540|C:\Windows\System32\windows.storage.dll+ebc14|C:\Windows\System32\windows.storage.dll+e930b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15fb7|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37e8f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa 10341000x800000000000000058162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.919{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.919{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.881{6F5BEE90-18AA-61E9-1600-000000002102}13241676C:\Windows\System32\svchost.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.881{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.881{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.866{6F5BEE90-1B0F-61E9-E500-000000002102}41763520C:\Windows\system32\csrss.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.866{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.866{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.850{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1D00F57F3BD1198782B32737CF1862,SHA256=1BC5ED67BD260AE2038955D678C795B700E2101C2ABF7BDF42380C8356F5CF82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.850{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F44B77878DA543656D1BDD4D20FFF6A0,SHA256=2FCE086B0FB59DE8EFFA9EEA06D9D1DEC86E43E0CD62D54A2DD263B9EE28AB2F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.765{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.765{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.713{6F5BEE90-18AA-61E9-1600-000000002102}13241676C:\Windows\System32\svchost.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.713{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.680{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.657{6F5BEE90-3B76-61E9-7009-000000002102}58842412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-1B0F-61E9-E500-000000002102}41762952C:\Windows\system32\csrss.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x800000000000000058145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-1B26-61E9-1201-000000002102}5320ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DDGKRVIA\microsoft.windows[1].xmlMD5=C644BFED912A6E3D27771F37454B7928,SHA256=2ED7DB97E6B3F178709A56FBB6436D86DA55639911CFB4B28E5224A472EBDE04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-3B76-61E9-7109-000000002102}7164C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37396|c:\windows\system32\rpcss.dll+3df7d|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-1B26-61E9-1201-000000002102}5320ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DDGKRVIA\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.617{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 354300x800000000000000058139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:41.494{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.332{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B76-61E9-7009-000000002102}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18A7-61E9-0500-000000002102}392368C:\Windows\system32\csrss.exe{6F5BEE90-3B76-61E9-7009-000000002102}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.316{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B76-61E9-7009-000000002102}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.311{6F5BEE90-3B76-61E9-7009-000000002102}5884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.310{6F5BEE90-1B26-61E9-1201-000000002102}5320ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DDGKRVIA\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.277{6F5BEE90-1B26-61E9-1201-000000002102}5320ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DDGKRVIA\microsoft.windows[1].xmlMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.246{6F5BEE90-1B15-61E9-FA00-000000002102}46325324C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a20|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803E7C6BFF8)|UNKNOWN(FFFFFF171F0A5B48)|UNKNOWN(FFFFFF171F0A5CC7)|UNKNOWN(FFFFFF171F0A0351)|UNKNOWN(FFFFFF171F0A1D1A)|UNKNOWN(FFFFFF171F09FFD6)|UNKNOWN(FFFFF803E7983503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000058127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.246{6F5BEE90-1B15-61E9-FA00-000000002102}46325324C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55501|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF803E7C6BFF8)|UNKNOWN(FFFFFF171F0A5B48)|UNKNOWN(FFFFFF171F0A5CC7)|UNKNOWN(FFFFFF171F0A0351)|UNKNOWN(FFFFFF171F0A1D1A)|UNKNOWN(FFFFFF171F09FFD6)|UNKNOWN(FFFFF803E7983503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031743Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B77-61E9-0906-000000002202}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031742Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031741Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031740Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031739Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031738Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031737Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031736Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031735Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031734Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031733Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1A7C-61E9-0500-000000002202}388404C:\Windows\system32\csrss.exe{CE7C8936-3B77-61E9-0906-000000002202}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031732Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.976{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B77-61E9-0906-000000002202}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031731Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.977{CE7C8936-3B77-61E9-0906-000000002202}2620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000031730Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:40.865{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000031729Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.445{CE7C8936-3B77-61E9-0806-000000002202}39923392C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031728Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1B12-61E9-AF00-000000002202}24603956C:\Windows\system32\conhost.exe{CE7C8936-3B77-61E9-0806-000000002202}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031727Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031726Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031725Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031724Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031723Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031722Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031721Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031720Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031719Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0C00-000000002202}7003204C:\Windows\system32\svchost.exe{CE7C8936-1A7D-61E9-1D00-000000002202}1956C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000031718Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1A7C-61E9-0500-000000002202}388940C:\Windows\system32\csrss.exe{CE7C8936-3B77-61E9-0806-000000002202}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000031717Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1B12-61E9-AB00-000000002202}19122580C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CE7C8936-3B77-61E9-0806-000000002202}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000031716Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.307{CE7C8936-3B77-61E9-0806-000000002202}3992C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CE7C8936-1A7C-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031715Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A20004AABCEAE139AB153ED653EFE394,SHA256=1849138721D1C1F1F4CBFE3B549D0A42F3F45F5378A443B6C15267258FDD09AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031714Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:43.304{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30617711A56047B6E40E5FC8B076EB2,SHA256=629DBD1D378AFD0EF63FE548F697372ED7D11537D99C5C3AB377C54F82A5337B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.897{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1D00F57F3BD1198782B32737CF1862,SHA256=1BC5ED67BD260AE2038955D678C795B700E2101C2ABF7BDF42380C8356F5CF82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.797{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.797{6F5BEE90-18A9-61E9-0C00-000000002102}8285624C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.797{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.797{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000058172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.019{6F5BEE90-1B26-61E9-1201-000000002102}5320ATTACKRANGE\AdministratorC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\Administrator\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\DDGKRVIA\microsoft.windows[1].xmlMD5=C644BFED912A6E3D27771F37454B7928,SHA256=2ED7DB97E6B3F178709A56FBB6436D86DA55639911CFB4B28E5224A472EBDE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:42.997{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42BFDA8A0B38429798D485E9C39CFC91,SHA256=445D63275CDC82754A5A2C54950ECC19B49C67F82B4178F620FF1AA18C9212F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031745Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:44.586{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B4F28FB42CDFD67A4F31CCF4335F07,SHA256=77FC39C4F3D6F62ADAFAF50CF70A7AEC61968940B6DCBEDFFD4876170CA3DF63,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.529{6F5BEE90-18A7-61E9-0B00-000000002102}608C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-53.attackrange.local52434-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-53.attackrange.local389ldap 354300x800000000000000058179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:43.529{6F5BEE90-18B8-61E9-2700-000000002102}2904C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-53.attackrange.local52434-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-53.attackrange.local389ldap 23542300x800000000000000058178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:44.034{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25246ABD9D90F9520FE8048F28E595DF,SHA256=FD8BCCB10D30F30A749BA98E44626E06CF4F8AE6BB104A31764B975BA9B9DDBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031744Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:44.351{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5BE7F189BC0E476234203E2B4A156D9,SHA256=F7266FCFF6DE80E3CF8E307121924BDA9D07AD21AFC0C93199C8FEEC81C10B69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031746Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:45.648{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFF9BAB19A9A871C6872133E5BCC2B31,SHA256=ABAA602D6185A61BC30B8B3FD8DD1DF96B717A947AC6A6C3110205665AC5CFBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.936{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.916{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.821{6F5BEE90-1B15-61E9-FA00-000000002102}46325360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.821{6F5BEE90-1B15-61E9-FA00-000000002102}46325360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba0bc|C:\Windows\System32\TwinUI.dll+ba897|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x800000000000000058211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.767{6F5BEE90-1B15-61E9-FA00-000000002102}4632360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.767{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.767{6F5BEE90-1B15-61E9-FA00-000000002102}4632360C:\Windows\Explorer.EXE{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+1093d6|C:\Windows\System32\TwinUI.dll+82ba7|C:\Windows\System32\TwinUI.dll+bed5e|C:\Windows\System32\TwinUI.dll+bed29|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.767{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.720{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.718{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49286680C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+b7e5d|C:\Windows\System32\windows.storage.dll+ba540|C:\Windows\System32\windows.storage.dll+ebc14|C:\Windows\System32\windows.storage.dll+e930b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0 10341000x800000000000000058200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.698{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.520{6F5BEE90-1B14-61E9-F000-000000002102}49286680C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\windows.storage.dll+b7e5d|C:\Windows\System32\windows.storage.dll+ba540|C:\Windows\System32\windows.storage.dll+ebc14|C:\Windows\System32\windows.storage.dll+e930b|C:\Windows\system32\windows.cortana.onecore.dll+1717e|C:\Windows\system32\windows.cortana.onecore.dll+15f51|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\windows.cortana.onecore.dll+12bc0 10341000x800000000000000058191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.518{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 10341000x800000000000000058190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.518{6F5BEE90-1B14-61E9-F000-000000002102}49285480C:\Windows\System32\RuntimeBroker.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b2a|C:\Windows\System32\combase.dll+6d8fd|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x800000000000000058189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B79-61E9-7309-000000002102}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18A7-61E9-0500-000000002102}392408C:\Windows\system32\csrss.exe{6F5BEE90-3B79-61E9-7309-000000002102}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.250{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B79-61E9-7309-000000002102}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.251{6F5BEE90-3B79-61E9-7309-000000002102}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:45.034{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C34A6D2EC2145074AF0B8DAC39687D,SHA256=C0B79F97F372C8AB03B71E67F3EC314385574DB179D5099B67073496C4E155A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031747Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:46.664{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8241703A66162EF693B805CACFC8FE93,SHA256=07FAA9834C10768870424BF0E537D673F759A8184ECC5A7FB22F0DF0DE7EE196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.353{6F5BEE90-3B7A-61E9-7409-000000002102}1132760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.299{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16D86927F9D05D88F4CAC81CE249530A,SHA256=436E4C604729A51D3856BDFE5958702ACD9F1091FCE4ABCC0C58A95E5BA5CDD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.121{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D982E85B872F383ADC5BC9EF2024CE,SHA256=266BD803BF65137D896BB58B54E7A5A7477094514FF7E039A6C9DA2389F3E953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.121{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B7A-61E9-7409-000000002102}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.121{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1CC3B74CB1E21C08B26441E63EA73D9,SHA256=6F83DA4C8DBEE19225228584C7545526B218BB4ABF1290A3905C58C37F24CF46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.119{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.119{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.118{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.118{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.118{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B7A-61E9-7409-000000002102}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.118{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B7A-61E9-7409-000000002102}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:46.116{6F5BEE90-3B7A-61E9-7409-000000002102}1132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031748Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:47.767{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6A3B62024D613DADA03695F50F0F7D4,SHA256=5BB3944B6315287027EB9CA2FD55F4E2FD792E79BFF4286357E69441A5E8C728,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.637{6F5BEE90-3B7B-61E9-7509-000000002102}58081924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.420{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B7B-61E9-7509-000000002102}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.418{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.418{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.418{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.417{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.417{6F5BEE90-18A7-61E9-0500-000000002102}392408C:\Windows\system32\csrss.exe{6F5BEE90-3B7B-61E9-7509-000000002102}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.417{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B7B-61E9-7509-000000002102}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.416{6F5BEE90-3B7B-61E9-7509-000000002102}5808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.137{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63609D8B15775593AC06523597A4DC6C,SHA256=059C0A345D345F44DCC7C625F1AA576C71A1CBDC7B29BA2FD6ACF0AD7BEFB5D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031749Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:48.783{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18FB50F3C2A7A7AE8AEA2D9EA1E0062B,SHA256=B13F0892A38A5BB0B771E03D84817FC1DC0AB7B3B444498ADBE2656831B7EE18,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:47.348{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.421{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DDC645ADE5CBB141B99343CAAE08309,SHA256=63433A572C78B606681EAB1DB4D077D55C7E44265020AF07E6327ADD2829D737,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.323{6F5BEE90-3B7C-61E9-7609-000000002102}53481172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.168{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E9325325501EF466F899D073659BDB7,SHA256=AA4242F9D2CC48B70CC78D3DA380FC15B2D2DF073DC7CA7E5C503B4324C54249,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B7C-61E9-7609-000000002102}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B7C-61E9-7609-000000002102}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.084{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B7C-61E9-7609-000000002102}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:48.085{6F5BEE90-3B7C-61E9-7609-000000002102}5348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000031751Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:49.861{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96CB556CA84A45AA0C41A784D10C87A1,SHA256=B66E5CB08D3EFD38D31449C2B30AA96EEA99CA739AAF291EB5D5F8DF7C9E521C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.227{6F5BEE90-18B9-61E9-3500-000000002102}33043324C:\Windows\system32\conhost.exe{6F5BEE90-3B7D-61E9-7709-000000002102}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.225{6F5BEE90-18A7-61E9-0500-000000002102}392508C:\Windows\system32\csrss.exe{6F5BEE90-3B7D-61E9-7709-000000002102}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.224{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.224{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.224{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.224{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.223{6F5BEE90-18B8-61E9-2F00-000000002102}30243900C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6F5BEE90-3B7D-61E9-7709-000000002102}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.222{6F5BEE90-3B7D-61E9-7709-000000002102}6480C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000058250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:49.190{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28735A3D6D2B6173EC152C52E37C4D98,SHA256=CF3301B5E885ADFDF2D2722C4F29623446D2C9225C83CF53EEF730D5E53FF0CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031750Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:46.833{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:50.228{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=262940F7C19D9E03CF6F6731FFB90677,SHA256=90B6C17F38666E85B1E2E387D8796D961D33657D6B8522E7C22BC6DC959C8615,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:50.197{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED6D9A1FFEE9AEBFDBB672524D3D7E7,SHA256=11F192564190F3A802C8CA30BD1B7205F4FB4D85C67A5D65D9F427F4D82B3A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.212{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153B99662495C47781ACA264A6A02270,SHA256=25103231BA30AC2024E617D5597CDCFE1FAEBF2E10C6D3DBCB4F83640CF45B27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031752Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:51.095{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DECA45A7C214C4A081F501B26B0D9F,SHA256=3E732C6A9B40ED903F69BFE14D6605B7EC37E2BD692A7871BFBE20FD9E02606F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-18A9-61E9-0C00-000000002102}8281296C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-18A9-61E9-0C00-000000002102}8281952C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.096{6F5BEE90-1B14-61E9-F100-000000002102}2632324C:\Windows\System32\sihost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.048{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.048{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-1B26-61E9-1201-000000002102}5320C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 10341000x800000000000000058261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:51.048{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-1B24-61E9-1101-000000002102}5640C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c 23542300x800000000000000031753Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:52.205{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFBD8E68310E249D6D911164694F4AF,SHA256=E54B4C1C708EAE5750CD5DAA21C8B39E3626F6C28E20E7D52DD1128CC5FEC6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:52.213{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB5926A96763E83051E322B174DF9CC5,SHA256=4EEA8607962AF58775C396449A97FFC121DCE656379AAB2449A881EC8750D77A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031754Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:53.236{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB058A2EC1C422C4F608FB100A666966,SHA256=19A5721E23ECF99E5B3AE462F7D227304F9BCAD955B5E65A0F2E64126EE29E68,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:52.393{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:53.229{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1E36A0046808E7EB4008E24C17D02FD,SHA256=4B3D53A97A2ED534876833F8BE5F5B8A21FD6B4B3431AFB50571418936956036,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031756Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:51.859{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031755Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:54.252{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD3F36B5A235A7CCFB4FDEC5D83C7DB,SHA256=02205A1C0244F974F934A8C199E735FF61F6600FA31B399F12C5620BACA2274E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:54.232{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ED824B4DA1D9EFB6EE9833942617D5E,SHA256=18310594E81C8AAAE57FEFC477D7E91F26F4BF8F84D0CFC2A2ABC508AAF97A39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031757Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:55.299{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFCEE958D095B10C61522EFDDE9505E,SHA256=164697AAE5E51E07EA4F8C0E9C81CF987125F26E82A1E49CC2FFE8C67D9FDE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:55.233{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AAEFBB6A506957FF01C27DFA71F7F06,SHA256=3F9E235AAEB43C2A7E79BA5963CD638243F5FE139BDC1208D3302E3DA7A3BDAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031758Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:56.314{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3D67900B01215BC1CA13AF610749E5,SHA256=612E90981DFAACBCED0F58EAA2FC19087D09F52304EE061AC03D52FE55B6C2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:56.234{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED785EE54C943FAA12615398575A988,SHA256=B5AA03B13F06B31CE258C6F69410DF3360908B76BE0D03623CCA759BD1312ACE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:57.254{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC13337A4F330A6A15E2F20C03E6888C,SHA256=C05637D5E289324A3797B118C09BCFEF6DE8A3FC4970B64AA6BC5403C569834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031759Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:57.330{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D637BA2C8BDF26FE0ED6D2176AC33D,SHA256=EB8AF9C55E0CB4DE8C266330AC8F7D53FDF19198205FCE5EF2FDBF26C05FA54F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031761Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:56.968{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031760Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:58.345{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73410725D746322D5DF487D6D71E5B4D,SHA256=C4F5B139833074D5BED54C40DDC02A2D0FF4E59BE25B3B04C31180C43DF81FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:57.413{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x800000000000000058282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:58.455{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2B00-000000002102}2976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:58.455{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2B00-000000002102}2976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:58.455{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2B00-000000002102}2976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:58.455{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2B00-000000002102}2976C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:58.271{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F4C27A073338DA1093D7D1BA3C6777,SHA256=3D2962C71CF38971D4F4E73A3339C1610D09F606AF6F3D0304FF71E598B14A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031762Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:37:59.361{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488FF3D04687547FE116C66C67D7C49,SHA256=D5B3F8D1795E6E7DA3A0BDA313B76FE2020286FCFF89A40A25AA4A439F4E4731,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.918{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.918{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.918{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.872{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.872{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.833{6F5BEE90-1B15-61E9-FA00-000000002102}46321004C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.833{6F5BEE90-1B15-61E9-FA00-000000002102}46321004C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.833{6F5BEE90-1B15-61E9-FA00-000000002102}46321004C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.833{6F5BEE90-1B15-61E9-FA00-000000002102}46321004C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.833{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.817{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.817{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.817{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.817{6F5BEE90-18AA-61E9-1600-000000002102}13241676C:\Windows\System32\svchost.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.802{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.786{6F5BEE90-3B87-61E9-7909-000000002102}50844268C:\Windows\system32\conhost.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.772{6F5BEE90-1B0F-61E9-E500-000000002102}41763520C:\Windows\system32\csrss.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-1B0F-61E9-E500-000000002102}41764072C:\Windows\system32\csrss.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.755{6F5BEE90-1B15-61E9-FA00-000000002102}46325912C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a912f|C:\Windows\System32\windows.storage.dll+a8da5|C:\Windows\System32\windows.storage.dll+a8896|C:\Windows\System32\windows.storage.dll+a9d08|C:\Windows\System32\windows.storage.dll+a86be|C:\Windows\System32\windows.storage.dll+ab4d5|C:\Windows\System32\windows.storage.dll+ab854|C:\Windows\System32\windows.storage.dll+aae90|C:\Windows\System32\windows.storage.dll+ad6ba|C:\Windows\System32\windows.storage.dll+ad472|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801e1|C:\Windows\System32\SHELL32.dll+6717e|C:\Windows\System32\SHELL32.dll+17c29c|C:\Windows\System32\SHELL32.dll+19ea38|C:\Windows\System32\SHELL32.dll+284513|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+17c540 154100x800000000000000058285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.750{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ATTACKRANGE\Administrator{6F5BEE90-1B13-61E9-8513-0D0000000000}0xd13852HighMD5=65D86C34814C02569E2AD53FD24E7F61,SHA256=8133502266008B77DE7921451E1210B0EF3F0ED2DB7D8D3EE0C3350D856FA6FA,IMPHASH=5E0145CEF36FA9BFBA7DE33AA683B8ED{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x800000000000000058284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:37:59.286{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33AA803988DEFA5DBD7F04B5A9B664D3,SHA256=30408A4B8C8A70623839BBE33479008C823C0DAF3CA626A277EF99276AF29BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031763Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:00.377{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254B61584906279021B1CAD4D2510403,SHA256=BA35A71393D43A4F3D3BCB3D424544B709373B0983AACA0AEEC4FDA505FB50F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.767{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B350D179A29FBC915862682C26D961F5,SHA256=334F0B303C9C8083858FB40D7E5DD9B871F525F8930A61A213EB1B42DE5D7FFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.766{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C844E9D12945568AA7E3CB5D304AC243,SHA256=5E532342B0000F138FD5490CE4861EAA4408A6B87F4F8EC63E1B574B28708989,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.747{6F5BEE90-18A7-61E9-0B00-000000002102}608660C:\Windows\system32\lsass.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b21c(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000058317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+230fc(wow64)|C:\Windows\System32\windows.storage.dll+10b14f(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000058316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8 10341000x800000000000000058315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+10b13a(wow64)|C:\Windows\System32\windows.storage.dll+10adf5(wow64)|C:\Windows\System32\windows.storage.dll+10ac56(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5 10341000x800000000000000058314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+26498(wow64)|C:\Windows\System32\shcore.dll+2995e(wow64)|C:\Windows\System32\shcore.dll+29cab(wow64)|C:\Windows\System32\windows.storage.dll+1e3eba(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64) 10341000x800000000000000058313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+264da(wow64)|C:\Windows\System32\shcore.dll+297f0(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3eac(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5 10341000x800000000000000058312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.514{6F5BEE90-3B87-61E9-7809-000000002102}46961916C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Windows\System32\shcore.dll+2983c(wow64)|C:\Windows\System32\shcore.dll+297cb(wow64)|C:\Windows\System32\shcore.dll+299c5(wow64)|C:\Windows\System32\shcore.dll+29d58(wow64)|C:\Windows\System32\shcore.dll+29dc5(wow64)|C:\Windows\System32\windows.storage.dll+1e3eac(wow64)|C:\Windows\System32\windows.storage.dll+10ad68(wow64)|C:\Windows\System32\windows.storage.dll+c4f96(wow64)|C:\Windows\System32\windows.storage.dll+c4ebd(wow64)|C:\Windows\System32\windows.storage.dll+c613d(wow64)|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+c2f8|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+acc5|C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe+95cf 23542300x800000000000000058311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.337{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70A97F1F65498746F548BD25B666C50,SHA256=CD4C1D8C253ED6CDAEF2D1B3F24931A446E1609258B5E8615E7AAC8C07B5C02E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.018{6F5BEE90-18AA-61E9-1600-000000002102}13241676C:\Windows\System32\svchost.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:00.018{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000031764Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:01.408{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB852FDF70E0EB813C98A25883A84A2,SHA256=C4673592D041C4D13391CA59815AF6AC4FC1D9535F852B00892F34FE95FE2548,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:01.732{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vwszlxrp.c22.ps12022-01-20 10:38:01.730 10341000x800000000000000058324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:01.668{6F5BEE90-18A7-61E9-0B00-000000002102}608660C:\Windows\system32\lsass.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:01.662{6F5BEE90-18A9-61E9-0C00-000000002102}8286020C:\Windows\system32\svchost.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:01.364{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98CDF437511EE1BEDD645D6A3B48BD53,SHA256=334B10DA80CE0F793FB26DC11A6611054C7A8F1F701FD65FA68C31D8BC1B9AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.693{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2415696C288A43700F39D25C7B8FDC9E,SHA256=0E91725FB8B7064F0EFEB90DEE62750D3FCBD11666C5A0AB4AB2CE5C9BA0EC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.371{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9DD4970B64C1F3F4DBD0BAF81EA528,SHA256=850E2DD312A118F30DE7FA44AB921C6D6CD168658D910991F2283DC8E236AFC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031766Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:02.439{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F5589F9DC62B421815B437D3551408,SHA256=FF25BA1838397491652C65AD8F3C50951F7B49A1900EE0AE02EF4D9015F546C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031765Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:02.377{CE7C8936-1A7C-61E9-1200-000000002202}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=72C25F67A7DF7CB7F3D62B177237D91C,SHA256=36AAA1170FD46F512F920D66ECED1C6277477BE1F2BD14967A115FE7DAF69B2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.324{6F5BEE90-18A7-61E9-0B00-000000002102}608660C:\Windows\system32\lsass.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.324{6F5BEE90-18A7-61E9-0B00-000000002102}608660C:\Windows\system32\lsass.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x800000000000000058328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-CreatePipe2022-01-20 10:38:02.124{6F5BEE90-3B87-61E9-7809-000000002102}4696\PSHost.132871486797507973.4696.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000058327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.100{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_f22igbhb.yrt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.099{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_vwszlxrp.c22.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031767Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:03.455{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F77EFA7832D406D6130DB87B2D2D2FAF,SHA256=1C9241E54EEAB8436E4BEB3C7C370ACCFAA3EF4897704D01463DD6BA292D013D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:02.441{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:03.789{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93F85733EF9B24C9E7DC1DAC2A84F7FA,SHA256=02A67112EDA64A1A9658A4964A976C7433426F3B9AB3D5AA821446F0158D7A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:03.408{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5FAD3E307504FC2428BF00D10B8709,SHA256=3778FE7090F7178FB61135EB6430315C2A56C4BC9F6617E650326693F97B41FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031768Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:04.455{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27AAAB3E82A0F178427C59A56D44A0C,SHA256=E544F375ABC4893A8D9A5D11E6B3C5003A140FCB7CF07323F61F63E473D7C174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:04.409{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A4B2DE41C1D2F37F94BC7E7CD9301C,SHA256=DD86B0E4C56F959F5EE2CBC212001615AF6387CFAE176E6CEF28D15245166DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:05.424{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D4587BA5CD08B23388966071D0D49AF,SHA256=5450AB205C4CFBB9A278D32EE5F8282708C6A4EB390D76A8B6D2CF7965B4BE6A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031770Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:02.906{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031769Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:05.470{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B870BBF77D456D511AAE0FB58C94C4C,SHA256=4E86C9C93B2AE5A98D858A02A1DDC18159FE79FC10670F33FF9B4AB4CC884133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:06.439{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1D81CEDC4FC3AE9FDF0386D8CD6230,SHA256=79F9D79B75164B617FAAAEE8F8FA9950FE02823824D9CCACEBF4194DD415BDC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031771Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:06.470{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F839444694854D2AB53EC9EDB3160576,SHA256=98D35BB02F54CA374917352200930A331DE5B3694BCB2AFA7A97A6B4E20F46FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:07.454{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E152DD161FC4F651E867721CE1A42D,SHA256=18ACA5E16111C56C18417A9BB373F1DBC4368C71B26F6E7771554968B758A84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031772Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:07.486{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=376CA0462B49009B0F699E9E40A5288F,SHA256=6D2AE7BAE351CCBB8DC00CD94406FD04E65BD321DCC3F0E45183BB539D36A8D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:07.484{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:08.470{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8C9D1EEF8054DE15B0541750F96BFB,SHA256=A805D75EADC940CDEE4F3C0F7CFB0F2E3A25A060504ABFDDBA148825D6448894,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031773Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:08.501{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA101C864FCC0C7C6A5E79E83C6666EE,SHA256=AC9F6D45FB8B534794A4662AF04D6339E825F230BB9987EE3CA65556E9129E8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:08.191{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:09.492{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8112AA2FB2CFA7EF75320BDE24044ECE,SHA256=ABBD8A2E9AD8CE6572FBFE35EBA15795CC8FBBD09658F2BF32DC83D64D58E1E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031774Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:09.516{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77F93B87C06B79B3B47FE771AC8F6787,SHA256=ECC8F6E9B1C78C1305041B2B08CA54C60D2DF3973FCDABA7B15064C07DECED59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:10.517{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A296ED00B22CFD443C863E3460BB4AB,SHA256=385A388DAA9671196DD2C350D25949592E90DC9ACA5A5782065BD0DF7FC3FFD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031776Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:08.764{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031775Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:10.516{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209378FD58852CBF9485D2FFB83795BC,SHA256=DBA7E3F247DACC9B30819F1AF42F0F978D8D4FC6ACB49DA363EE1980E505B969,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:10.473{6F5BEE90-1B14-61E9-F400-000000002102}36683156C:\Windows\System32\taskhostw.exe{6F5BEE90-1B15-61E9-FA00-000000002102}4632C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:11.520{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE503B6D2D75DDEF03BE05DEFB8FD8BC,SHA256=336F3F60593BC963B41D60D6696F7CA0C176A7B2B21FFD780BC43600896025CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031777Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:11.532{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EC1707D775150F8B0DE51204225041,SHA256=20F335A630E7F61D7A3617F1BA4616696BB551BE03A29AE81B717C8A3FA59F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:12.723{6F5BEE90-18B8-61E9-2900-000000002102}2920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0571bb7ceded66ec2\channels\health\respondent-20220120080932-144MD5=44EE2058E1CF53803DE801177DF9FF30,SHA256=D4B695239EFC7A7D204A7F26661A6155EA831FDC6A54CE0076B22CA3E58183AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:12.535{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDF4562C9030ED1E6E1D91391E31AC2,SHA256=2843FC6452902B4F92BFF41CCDD71CA65458967A92E202273D9E252C59F6574D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031778Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:12.548{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BBEBDEBF21D7FB49E55834C75922CF,SHA256=4D88F975668813CD50080E7DB759750F7B1D8C040D709EEE03478657F87A7880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:13.724{6F5BEE90-18B8-61E9-2900-000000002102}2920NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0571bb7ceded66ec2\channels\health\surveyor-20220120080928-145MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:13.551{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF21AD67D741858B384DAD385D69ED5,SHA256=FCCFC7C853AC0BCEBB3B8A284FE1A441FF9F7A8CBEB7F5793E8506C1A7A38F75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031779Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:13.563{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978CEB5BDBF8E0FC84F385BD9ABE9759,SHA256=CC314163E20474D751CB797F39CDA3F4899A386CD2D1A9D712EFEE8F31A53F47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:14.570{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBDD94801FF671E9E8EF697952618694,SHA256=77F35CD65386CBE8F5A79B83306D3C737F823F923FE9F963CBC84FC4D24B65E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031780Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:14.563{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD3F29CC644DE9EBF337A489F855C95,SHA256=3D859D7F84FCD3E749E92E2011900179A40F5AB061B884A353D5664F8EA6F697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:15.586{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=264A216FEE8E265F0AC92415C879DBD0,SHA256=79E8C4CA81F4B9EB17A8CAE825C6F0F3C3D6773D20FC90BA546CFA9FEA898823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031781Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:15.579{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA15A1F01B6E67D423A16F2B93FC269,SHA256=13D621DA9BD91E839E5712E5D201D41E9610A6965917BFFAD53CC54C59E35EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:15.554{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=60EDE099EB0E0BEB7F11680662F30C5C,SHA256=D1DED6895B7E358BF6A27509168F60ED73909AFE5CAB5CFC0F7A66322D53D214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:15.486{6F5BEE90-18AA-61E9-1100-000000002102}480NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4A2E54D76639C9BDE1BD5BD482EFC18C,SHA256=18E9827D66F3959FC622707D1671F4963A7B621DAB226031BAC7D9E014125C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:13.496{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031782Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:16.594{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D4BE53E5CE72F282E99C1EC168AA4E,SHA256=83AF4AF7DB35ECEB0E10295998AC7647304F717398DC76A46DCB53B00BC8D926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:16.605{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA64AF2C50C2C4B1F9C8A3D88E47D06E,SHA256=34A7CDE1001DDD46A5DD03BAB5F7EBE1409E498ADF59C1317350FC1162C5DD9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:17.623{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D51E35975819EB8AE3C10FD7ACB2BF9,SHA256=EEB937ACBE6D4A8562997A9C05FFA775DD64899187C9DA7589EBD8946B555A58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031785Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:17.610{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F44230D1603958CD0745D0C194EB43,SHA256=4F2B946241D185F0136E68A34586BBAAB2FFC1F5900F624AD0E5676FCEDA57BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031784Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:17.344{CE7C8936-1B12-61E9-AB00-000000002202}1912NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9E11AA9F3452DB0F16F9E79CCD407159,SHA256=0B6123CF67044127245D77723D015AECD3385919E1F78356EC114EAF4F576866,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031783Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:14.780{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031786Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:18.610{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=876FE999D18B23878BB6DEC29ED9D717,SHA256=FFDC69A2A1525481201525EE12324B36258895B5E161C7F998F7B122C2E50D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:18.624{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374BF957B0DAC45E1763ACE8A4537D5A,SHA256=C47474F0709AA89028AF1C8E5FDAFE012055606C1009D43AC3A3AC7D921933C9,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000058358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-SetValue2022-01-20 10:38:18.571{6F5BEE90-18AA-61E9-1200-000000002102}352C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d80de9-0xd68faf7b) 23542300x800000000000000031788Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:19.626{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5495E861F90708713AA4127F69928FD8,SHA256=C46A03F565726513EE812AB5E7D2C5D0714689C3E924F1B90DD16D6C3F1C837A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:19.654{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C0E6D8CDBD3E78F3EC8FFB80F93644,SHA256=51BB8A853080A0E26857B216AECACBBF5606CCC1021AB7376A9D84F3E76E5DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000031787Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:17.045{CE7C8936-1B12-61E9-AB00-000000002202}1912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000031789Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:20.626{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5078371DC51323412C5933BD45FA51C,SHA256=80BA94D1766F7206386E09B09023DF15D2EA1F334AAC750EA6CBEBF0C1530C05,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:19.418{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.670{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=733DAF22227D9515E9BA8C1E65D05D2F,SHA256=79A458CEB60672506ACBDCF99C3B8B2D27015496126D71C4167EBE89B6CDBAD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.638{6F5BEE90-18B8-61E9-2F00-000000002102}3024NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=9E11AA9F3452DB0F16F9E79CCD407159,SHA256=0B6123CF67044127245D77723D015AECD3385919E1F78356EC114EAF4F576866,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.538{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62725|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.538{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6263e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.538{6F5BEE90-1B15-61E9-FA00-000000002102}46326520C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62607|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+15458f|C:\Windows\System32\windows.storage.dll+15330f|C:\Windows\System32\windows.storage.dll+1562bf|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.523{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6163f|C:\Windows\System32\SHELL32.dll+62db0|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.523{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+62d6c|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.523{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61894|C:\Windows\System32\SHELL32.dll+62d40|C:\Windows\System32\TwinUI.dll+12d711|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.523{6F5BEE90-1B15-61E9-FA00-000000002102}46325552C:\Windows\Explorer.EXE{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d549|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:21.685{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5D46D3B29478D37398AEC514DC309C3,SHA256=0822A93E56FE7B60CB21B5F4F369A85110FF60E7CF08F9BB94E20A2402E28D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031790Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:21.641{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EBA41F1B2E4E9002B7A16808EFCCB01,SHA256=38AD475481A7F1DFF8627816813896FF86F062FD671603659E7553CA967278EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:22.706{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B9CE5595EECA1B2972C7F3DD227006,SHA256=A0F302167B122A083B7D10481AD2CC0512FBDF7431BB04DB28010E14F93993EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031791Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:22.657{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A24686EF4DBDDE3144311CB734C2E5DC,SHA256=1EA5F68091AB053E61CBE28EBA75C5919EFDE63D64CE12894023DF18398CAA65,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:20.917{6F5BEE90-18B8-61E9-2F00-000000002102}3024C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000031793Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:23.673{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13E1C1738F90789A909AC8C149D7E174,SHA256=806DA450241CDDFEC0185CC5C16C68FFFDFD14BC9E81D270D4BEBCBC359AC3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:23.714{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A446B3DCF5965B8E2497AD58EF9840,SHA256=CD87655F82E64A11656B8FF06DF8CEE8B50F49C69B8EF776773AA854763CE24E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:23.230{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt2022-01-20 10:38:23.230 354300x800000000000000031792Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:20.795{CE7C8936-1B1A-61E9-D900-000000002202}4048C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-tcontreras-attack-range-276.eu-central-1.compute.internal51384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000031794Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:24.673{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06496A865426B11FD11F6608C5B4F1AE,SHA256=2826ECED32623C4076F0988D3434E5AFEDBFE6FD9C29A7A46D245FD140743CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:24.729{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73327D8D6496CA63B713D3DC41C6A6B0,SHA256=36182DE46286ED5CAAEA56B8FA08EE570AF06C13A0A4E21718F8F99D76E480D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:24.261{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B27C492E296F4160D8BCB16CD68728E,SHA256=80803A2BF2C1C7C617F7E7A909BE4AED6268068371F5BE1F87F03EC5B1555DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:25.746{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2710421A765A659DC11FE93ED697D1DF,SHA256=9744C9EA4DEBCA4340E378517AFC08AB5ABCF05472755DF2D5116C6230AA49CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031795Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:25.688{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B195657E9FBD7DD532872D4318C4495,SHA256=0C055EB1BF79D5894296B4021B5742E1035E77013D808CCA391B0BD34A7AB658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:25.160{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2ufs5i5x.rqp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:25.160{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_clvmlr13.zkv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:25.160{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_clvmlr13.zkv.ps12022-01-20 10:38:25.160 23542300x800000000000000058384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:26.762{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797812CD755CC2565C04018586EC1512,SHA256=07DFFBE203745E2C33D751A852CB5C472173D4C841A64879E5BD97C640CCF106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031796Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:26.704{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57636E99E36B3CEBF51DDD48E43EA571,SHA256=8C10DD7E7DFB64CB8BF5B7CE34FC5308202E69292DE740CFFE76EC3DABAEE09B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000058383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:24.539{6F5BEE90-18C6-61E9-6E00-000000002102}3440C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-53.attackrange.local52443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000058382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:26.130{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E655EF3F0823E0389AFA04577624583C,SHA256=7814C1CD7B0AA17CC0A1D3B4B684BBEA764ACF23061AB6A75B5B637B7EB9956D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:27.780{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4228FEED3CD153623E623C0571F6E0A8,SHA256=2AFD9CCBA9174B01431C1810C3BCB6F1CC9ACA0D298DB043A56F77C59C6C7005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031797Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:27.705{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBBD611F07E0E95A397A639085616CA,SHA256=E03FA98E937CFF940D726BDA76571532DF9BA5788AFA1FBA72CDF3756017724E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:27.161{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0241D4A48CE5617FC41C80BABAF46F78,SHA256=047D41D40F3177C7B48D8978A9701C9D73F8B0064BFF41CABC4A0065FCCB0E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000031798Microsoft-Windows-Sysmon/Operationalwin-host-tcontreras-attack-range-276-2022-01-20 10:38:28.720{CE7C8936-1B20-61E9-E200-000000002202}3964NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59557925F8308F0C8698A506428B56F,SHA256=435D16F832EADCC8F329E3CB8E27AC69F7176CF781116285DBD5DC02D6F988F4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.localEXE2022-01-20 10:38:28.845{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe2022-01-20 10:38:28.845 10341000x800000000000000058397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-1B0F-61E9-E500-000000002102}41762952C:\Windows\system32\csrss.exe{6F5BEE90-3BA4-61E9-7A09-000000002102}1104C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.800{6F5BEE90-3B87-61E9-7809-000000002102}4696348C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-3BA4-61E9-7A09-000000002102}1104C:\Windows\SysWOW64\WScript.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+d7f5c(wow64)|C:\Windows\System32\windows.storage.dll+12427f(wow64)|C:\Windows\System32\windows.storage.dll+123f9f(wow64)|C:\Windows\System32\windows.storage.dll+123ce7(wow64)|C:\Windows\System32\windows.storage.dll+124cd5(wow64)|C:\Windows\System32\windows.storage.dll+123b11(wow64)|C:\Windows\System32\windows.storage.dll+125eea(wow64)|C:\Windows\System32\windows.storage.dll+1262f7(wow64)|C:\Windows\System32\windows.storage.dll+125915(wow64)|C:\Windows\System32\shell32.dll+1711b4(wow64)|C:\Windows\System32\shell32.dll+17108e(wow64)|C:\Windows\System32\shell32.dll+1ae43a(wow64)|C:\Windows\System32\shcore.dll+2fffa(wow64) 154100x800000000000000058391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.792{6F5BEE90-3BA4-61E9-7A09-000000002102}1104C:\Windows\SysWOW64\wscript.exe5.812.10240.16384Microsoft ® Windows Based Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwscript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Administrator\AppData\Local\Temp\2\Nmddfrqqrbyjeygggda.vbs" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ATTACKRANGE\Administrator{6F5BEE90-1B13-61E9-8513-0D0000000000}0xd13852HighMD5=4F021FB3CBD3023D2E20F69176E00099,SHA256=D63ADCCC897B7F74FE56170446D100C7C0F740A6CF01AD17913409581F392E74,IMPHASH=63ECF92956704DAB3E8ACC4116ED9C44{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000058390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.783{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A9CB31DAD383407F54851D7BEB0FB6,SHA256=47FB2EE7D5ACA3EC988A28D11E39FD4CCABF34A1A4DD1E52F9C08D407759A806,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.699{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\Nmddfrqqrbyjeygggda.vbs2022-01-20 10:38:28.699 734700x800000000000000058388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.513{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Temp\Tbopbh.dll1.0.0.0---Frkmlkdkdubkznbkmcf.dllMD5=E61518AE9454A563B8F842286BBDB87B,SHA256=9EF7DBD3DA51332A78EFF19146D21C82957821E464E8133E9594A07D716D892D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x800000000000000058387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:28.513{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Temp\Tbopbh.dll1.0.0.0---Frkmlkdkdubkznbkmcf.dllMD5=E61518AE9454A563B8F842286BBDB87B,SHA256=9EF7DBD3DA51332A78EFF19146D21C82957821E464E8133E9594A07D716D892D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x800000000000000058800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.990{6F5BEE90-3B87-61E9-7809-000000002102}46966652C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe{6F5BEE90-3BA5-61E9-8409-000000002102}1516C:\Users\Administrator\AppData\Local\Temp\2\InstallUtil.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9278(wow64)|C:\Windows\System32\KERNELBASE.dll+15a0bb(wow64)|C:\Windows\System32\KERNELBASE.dll+159d6c(wow64)|UNKNOWN(00000000070FF988)|UNKNOWN(0000000007233D7F)|UNKNOWN(00000000070F6C3E)|UNKNOWN(00000000070F5F69)|UNKNOWN(00000000070F8BE4)|UNKNOWN(00000000070F8AF8)|UNKNOWN(00000000070F42B6)|UNKNOWN(00000000070F25A5)|UNKNOWN(00000000070F4B75)|UNKNOWN(00000000070F485E)|UNKNOWN(00000000070F436A) 154100x800000000000000058799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.989{6F5BEE90-3BA5-61E9-8409-000000002102}1516C:\Users\Administrator\AppData\Local\Temp\2\InstallUtil.exe4.8.3761.0 built by: NET48REL1.NET Framework installation utilityMicrosoft® .NET FrameworkMicrosoft CorporationInstallUtil.exeC:\Users\Administrator\AppData\Local\Temp\2\InstallUtil.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\ATTACKRANGE\Administrator{6F5BEE90-1B13-61E9-8513-0D0000000000}0xd13852HighMD5=AF862061889F5B9B956E9469DCDAE773,SHA256=AF5CBD35C7D8DEA7D879113FDA61B0F64AC6618BCDAE15C0C732A018BABF68EE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000058798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.922{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65C3BE41EDEA92097372CDCD287C1B7,SHA256=346E04484C9E0AFC1C2CE5032D65A4CE770F1C548415F54D880D4134245944CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.889{6F5BEE90-18AA-61E9-1600-000000002102}13241960C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-7D09-000000002102}4800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.889{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-7D09-000000002102}4800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.832{6F5BEE90-18A7-61E9-0B00-000000002102}6085192C:\Windows\system32\lsass.exe{6F5BEE90-3BA5-61E9-7D09-000000002102}4800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.832{6F5BEE90-18A7-61E9-0B00-000000002102}6085192C:\Windows\system32\lsass.exe{6F5BEE90-3BA5-61E9-7D09-000000002102}4800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.808{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2537A7F1D9631E239922B001C525A88,SHA256=832AA6E843F1D390F53C0D008DE83A6706BA0A9BE4189E2A6497E440BDD6BD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.806{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B350D179A29FBC915862682C26D961F5,SHA256=334F0B303C9C8083858FB40D7E5DD9B871F525F8930A61A213EB1B42DE5D7FFA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x800000000000000058791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.localEXE2022-01-20 10:38:29.805{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\InstallUtil.exe2022-01-20 10:38:29.805 17141700x800000000000000058790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-CreatePipe2022-01-20 10:38:29.789{6F5BEE90-3BA5-61E9-7D09-000000002102}4800\PSHost.132871487092321483.4800.DefaultAppDomain.powershellC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000058789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.784{6F5BEE90-3B87-61E9-7809-000000002102}4696ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exeMD5=17FC12902F4769AF3A9271EB4E2DACCE,SHA256=29AE7B30ED8394C509C561F6117EA671EC412DA50D435099756BBB257FAFB10B,IMPHASH=563F92D1CB750F339006B11E53047050truetrue 23542300x800000000000000058788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.777{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD6B25B191B4D57CCE50D15128DFCD18,SHA256=BB6EE2743166F0291C0A3C2990889F98FA491E3DEDD798587F933D2B6764E83D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.773{6F5BEE90-18A7-61E9-0B00-000000002102}6085192C:\Windows\system32\lsass.exe{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000058786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.770{6F5BEE90-3BA5-61E9-7D09-000000002102}4800ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_sqzfj55d.x03.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.732{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D033BA28FD06B67027134DEDAB670FBC,SHA256=A155C717A6BF7901721B130FCF7ECBA97EDB3F7472F8D4DDE8633DB76ED858CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.732{6F5BEE90-18CD-61E9-7700-000000002102}484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6ADD2E7454C4DCB7187B2879573CE631,SHA256=1C26C68135B62B5DE1F8C9EECFC72790768D61D5852AEBBCD6B2AF68D3D34E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000058783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.685{6F5BEE90-3BA5-61E9-7D09-000000002102}4800ATTACKRANGE\AdministratorC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_2nfcmlgm.jzx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000058782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.680{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.680{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.679{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.679{6F5BEE90-18A9-61E9-0C00-000000002102}8283272C:\Windows\system32\svchost.exe{6F5BEE90-18B8-61E9-2C00-000000002102}2984C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.553{6F5BEE90-18AA-61E9-1600-000000002102}13241960C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-8309-000000002102}6208C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.553{6F5BEE90-18AA-61E9-1600-000000002102}13241364C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-8309-000000002102}6208C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.550{6F5BEE90-3BA5-61E9-8309-000000002102}62085348C:\Windows\system32\conhost.exe{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.522{6F5BEE90-1B0F-61E9-E500-000000002102}41764072C:\Windows\system32\csrss.exe{6F5BEE90-3BA5-61E9-8309-000000002102}6208C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.516{6F5BEE90-1B0F-61E9-E500-000000002102}41762952C:\Windows\system32\csrss.exe{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 534500x800000000000000058773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.516{6F5BEE90-3BA5-61E9-8109-000000002102}4580C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe 10341000x800000000000000058772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.512{6F5BEE90-18A7-61E9-0500-000000002102}392408C:\Windows\system32\csrss.exe{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000058771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.511{6F5BEE90-18AA-61E9-1600-000000002102}13241960C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\seclogon.dll+17dc|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000058770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.504{6F5BEE90-3BA5-61E9-8209-000000002102}3968C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" rmdir 'C:\ProgramData\Microsoft\Windows Defender' -RecurseC:\Windows\System32\WindowsPowerShell\v1.0\NT AUTHORITY\SYSTEM{6F5BEE90-18A8-61E9-E703-000000000000}0x3e72SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{6F5BEE90-3BA5-61E9-8109-000000002102}4580C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe"C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run 10341000x800000000000000058769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.502{6F5BEE90-18AA-61E9-1600-000000002102}13241960C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-8109-000000002102}4580C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\seclogon.dll+1404|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.502{6F5BEE90-18AA-61E9-1600-000000002102}13241960C:\Windows\System32\svchost.exe{6F5BEE90-3BA5-61E9-8109-000000002102}4580C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe0x14c0C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\seclogon.dll+128d|c:\windows\system32\seclogon.dll+10ac|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000058767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.502{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3BA5-61E9-7C09-000000002102}4792C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e62|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e2c|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3BA5-61E9-7E09-000000002102}1216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3BA5-61E9-7D09-000000002102}4800C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3BA5-61E9-7C09-000000002102}4792C:\Windows\servicing\TrustedInstaller.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3B87-61E9-7909-000000002102}5084C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3B87-61E9-7809-000000002102}4696C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3B76-61E9-7209-000000002102}5796C:\Windows\system32\DllHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.501{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3AA2-61E9-5609-000000002102}92C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.500{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3AA2-61E9-5509-000000002102}3436C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.500{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-3549-61E9-A608-000000002102}2936C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.500{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2D48-61E9-B407-000000002102}4080C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.500{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2D48-61E9-B307-000000002102}5484C:\Temp\hiew32demo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2D0D-61E9-AB07-000000002102}5532C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2D0D-61E9-AA07-000000002102}5544C:\Temp\hiew32demo.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2AC2-61E9-3207-000000002102}1112C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-2AC2-61E9-3107-000000002102}4508C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-269A-61E9-B006-000000002102}5572C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.499{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1FE8-61E9-D805-000000002102}2820C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1D12-61E9-4D04-000000002102}6952C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1CBF-61E9-8B03-000000002102}6916C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1CBD-61E9-8503-000000002102}6656C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1CBC-61E9-8203-000000002102}4352C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1CBC-61E9-8103-000000002102}7052C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x800000000000000058744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-53.attackrange.local-2022-01-20 10:38:29.498{6F5BEE90-3BA5-61E9-8109-000000002102}45805920C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe{6F5BEE90-1CBB-61E9-7A03-000000002102}3596C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6ae8(wow64)|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+9683|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1e10|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+21a7|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+2846|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+1d55|C:\Users\Administrator\AppData\Local\Temp\2\AdvancedRun.exe+b45e|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64)