10341000x8000000000000000126809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.757{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB76-61FC-0D02-000000002D02}92C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.741{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB6B-61FC-0C02-000000002D02}4040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.741{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB4A-61FC-0702-000000002D02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.741{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB3C-61FC-0302-000000002D02}5216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.725{7942A313-E06B-61FC-2C00-000000002D02}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C26B02D61C9CA11B62F56EF590BE2EB,SHA256=776E31D58FF579022BC8020FE9592BEE5F30D4F4E31843A0B71240D3BA40BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.694{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D6C778C1B6C0E40B6C5622AF9879A8,SHA256=630F218BB3C6D9B2A0CC4A2B0C43E101E6B88948C8E743939C20757CCB758C77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.410{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-E831-61FC-9701-000000002D02}5504C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+188f67c|C:\Program Files\Mozilla Firefox\xul.dll+1ad1edb|C:\Program Files\Mozilla Firefox\xul.dll+1776836|C:\Program Files\Mozilla Firefox\xul.dll+cd7e62 10341000x8000000000000000126802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:36.410{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-E831-61FC-9601-000000002D02}5464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+188f67c|C:\Program Files\Mozilla Firefox\xul.dll+1ad1edb|C:\Program Files\Mozilla Firefox\xul.dll+1776836|C:\Program Files\Mozilla Firefox\xul.dll+cd7e62|C:\Program Files\Mozilla Firefox\xul.dll+cd891f 23542300x8000000000000000126810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:37.696{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB82FAF24A28C99C7C1667D52DC6EECC,SHA256=11C359F6B7A60EDDF1DB18F8FB92C9C705A29647035F1FFF107A00DA745C44D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:37.418{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:38.699{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03558E16F513003CEBC16E4BFE55AC7E,SHA256=C3BE56B5DC2A04A58EC7CFA8CED693E3416D8508D11DAA77D0466A2A9FE685F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:37.071{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000126814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:39.700{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CAEE9E24DAE01308ABA7817AFF08269,SHA256=6DF512FCC9994DDBBA8DA539B3266B44CB834A8390293D4923BB9EF78B8F35F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:40.775{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C63EAF81839C2526D74B98A38D5A56C,SHA256=F15DDE5E23D44958896832DE963C0DF731C6FA76530AB20B0C9E79E60D8F71ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:41.953{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB76-61FC-0D02-000000002D02}92C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+1755377|UNKNOWN(0000030796421E54) 10341000x8000000000000000126819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:41.953{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB6B-61FC-0C02-000000002D02}4040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+1755377|UNKNOWN(0000030796421E54) 10341000x8000000000000000126818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:41.953{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB4A-61FC-0702-000000002D02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+1755377|UNKNOWN(0000030796421E54) 10341000x8000000000000000126817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:41.953{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB3C-61FC-0302-000000002D02}5216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+17a864c|C:\Program Files\Mozilla Firefox\xul.dll+1755377|UNKNOWN(0000030796421E54) 23542300x8000000000000000126816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:41.784{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79DA382228951CB338249AE314E2806,SHA256=62F9D1A0A9C06FB51520A40FCEC10D827A79375BDDC473E7E55E274892413CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:42.785{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E92B04F525A49693EB73927178F3CA8,SHA256=C8CAEC49B57824A483ED1A3323C13C20154762347D668069FAFCD3C1E496A62C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:43.968{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB76-61FC-0D02-000000002D02}92C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:43.968{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB6B-61FC-0C02-000000002D02}4040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:43.968{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB4A-61FC-0702-000000002D02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:43.968{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB3C-61FC-0302-000000002D02}5216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:43.803{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E8EA54FE57C7E77C52D8D464382F43C,SHA256=67AF939499C70396F1B9A4BF769C3049E3FD7E0914652B8D63958A38E82CBB92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:44.822{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F47DDD6408FA2E4D2DF73E1376BF19CB,SHA256=41E33FB3A7D77F633BBCEDF195E9C791F450A4F5EFEBAED93114095BFE581751,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:42.460{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:45.853{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD01ABE238078DA7C687C6ACF8D4DAD1,SHA256=68238F515DB566480B333176B38C171B0BACDF6D813D540C61909EB4A9138BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:46.854{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3806FEF841DC0B1E6C5CDAD2EBF2969,SHA256=3ABCFFEAC85590927D6F62888818936C145E199E0D4227A1CEE0FC3753498706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:47.869{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EA9D7B9D32AFC192BB2EA0B15815930,SHA256=111CDFA0CFB27ED4E2A2C995D6DDAB1BC7A47DE0A95A32A75A745166D6DB712E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:47.502{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=C7FE1D0976BA85210F7BA793C0A9C9C1,SHA256=2B9D07D7130C9A9EC73B50C30721BF6A6AB48E8123F36331CC3606082D7F0518,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:48.884{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCBFEEDB2533F72B78068FADA46D414,SHA256=36E12808146B652A34DB0B2624E4175EF3BE6013250E52F518D590DD0913603A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.885{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E624AA5FE2947E6C6070462C58461A,SHA256=721E904865FC013E6650D3A4A4E02D13A2C3BE0407D215BDE195DEF5E9ACD7AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.807{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E780BFE22284D10A74C8B37F129FF700,SHA256=CAADD9F48AB5EF6A80D9CF817132F57D18127F314D1BA36096C899228107653A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.807{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B399402BBE5F6C5B5ABB5BF7D8E07C60,SHA256=5C4A0417A5C5A60ECBF1C16FCFA35B661D43DFB9C5B0CBC6A8F2D27426F91A79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC31-61FC-2702-000000002D02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC31-61FC-2702-000000002D02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.754{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC31-61FC-2702-000000002D02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.755{7942A313-EC31-61FC-2702-000000002D02}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000126834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:47.515{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.887{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A400B4DE25AD14263BD41285BF81EC4,SHA256=55CAA6618F2D015CF52B7763736009B8003C11DA71C94A48AA572FD19A37205E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.739{7942A313-EC32-61FC-2802-000000002D02}71006380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC32-61FC-2802-000000002D02}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC32-61FC-2802-000000002D02}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.522{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC32-61FC-2802-000000002D02}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:50.523{7942A313-EC32-61FC-2802-000000002D02}7100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000126847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.145{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49348-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:49.144{7942A313-E06B-61FC-2300-000000002D02}2744C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49348-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 10341000x8000000000000000126868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC33-61FC-2902-000000002D02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC33-61FC-2902-000000002D02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.970{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC33-61FC-2902-000000002D02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.971{7942A313-EC33-61FC-2902-000000002D02}6432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.905{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768957BECB1C141F6CA0E4D2DCE80EEE,SHA256=0CE72F816C9F24ABAB6BA14CC49C60218307A9BE5FE56CB0A30D5453650B2C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.523{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E780BFE22284D10A74C8B37F129FF700,SHA256=CAADD9F48AB5EF6A80D9CF817132F57D18127F314D1BA36096C899228107653A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:51.373{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\respondent-20220204081438-048MD5=E4EA031637ACBB6F47BD231C2E2E1E96,SHA256=5C6E1C437BF72BDE074F4E51EF9D1792A62DAB991F745007C61C3F065E9CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:52.987{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E55960F5C6668EE685A350C9F44B09F,SHA256=07676CE40E3688A73BDD444EFF49E27847BD7EC9AB34DC91C91ECF4BE073834D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:52.909{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9659CA5279D4F967FC6188AB6E21399C,SHA256=954973BD626D03E91F2D8A39273D7061CB197D86A351D7666A9C331C14512567,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:52.387{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\surveyor-20220204081435-049MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:53.923{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94ED4F4ED86EAFCC2E813C66FA1DB0FF,SHA256=03C43600D19E571B11AF0BB9D8DF5B4C5D1FFC05B8F9829FB2D972D3FBB05479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:54.938{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21650FFD830ACF8FECE54262D2FC84B7,SHA256=C522A4A391723D6076668CFA2F7FD100E2DF25BEB0E1F314CDF223093C7BAB64,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:52.514{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:55.955{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0127FFC7F776390181DDFEE10129A2C6,SHA256=943F6E1633166EB8B1A9C4454CCA8248AA36789469134DFF59C432B0F8047036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:56.957{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67BDCD1ECF51FF51DB91B66060780FB1,SHA256=326009E26889483215D0995EA492DA9C7972579B423A79405940AC197007085B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:57.972{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26CB6BC8A3C39C00E67463AF3F5BE7E,SHA256=33F003155AF20C8EFF68EA36967D3291F98FE20AFE12366012573D6A6FCB3B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:58.987{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D23B5117B304ADA43A0BAA7E257B54,SHA256=91A135CC8E8CA1B6DB1E53E85BF73DC1BE372BD21F7AB7A477659BBB849DA092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:59.991{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=709B97E6C6CC9EBCC89B31023A516D16,SHA256=EA5D086611C686284752E272AD704DEC9F21D99B4C538DA086EDFFC915DB0DFE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:04:57.564{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49350-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:01.010{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CFDCA7CC1B0FB14E0070D7F8E60F810,SHA256=9223B23D6BEB80E810467FBA791E4C0AF1A7901389DF152EAA365088911D5AC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:02.030{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBC44B5027D409C409F1962417C5D3D1,SHA256=878B4E47DC4A140CCF9A3306A95D102929401AEEB58CBEED8993B6DA517C8F85,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:02.604{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:03.045{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC1D2DC7B5DD9321B05B715D328D7D9F,SHA256=02E9E7379C42ECFA7A19E94AA169DD52E6C682DE237103455924B02B7736AD95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:04.045{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1515CEADD3D159708CF574A87827C3D4,SHA256=7256855D5A1C2637CD2F276469DE9FDDD687742971C7EB47227F67768253B807,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC41-61FC-2B02-000000002D02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC41-61FC-2B02-000000002D02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.992{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC41-61FC-2B02-000000002D02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.993{7942A313-EC41-61FC-2B02-000000002D02}6784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000126895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.776{7942A313-EC41-61FC-2A02-000000002D02}66646708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC41-61FC-2A02-000000002D02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-EC41-61FC-2A02-000000002D02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.491{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC41-61FC-2A02-000000002D02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.492{7942A313-EC41-61FC-2A02-000000002D02}6664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:05.076{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD406B5AA011922791E133173EBD68E,SHA256=680EF5ADAA6B2F7BE5D39D8299A754C806866EBA8E047B32B58593D0567073ED,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000126920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:05:06.887{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\3C03FEAA-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_3C03FEAA-0000-0000-0000-100000000000.XML 13241300x8000000000000000126919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:05:06.871{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FB968765-8CFB-4638-AB9D-EC1BD74BF6A7\Config SourceDWORD (0x00000001) 13241300x8000000000000000126918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:05:06.871{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\FB968765-8CFB-4638-AB9D-EC1BD74BF6A7\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_FB968765-8CFB-4638-AB9D-EC1BD74BF6A7.XML 10341000x8000000000000000126917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.840{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.840{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC42-61FC-2C02-000000002D02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-EC42-61FC-2C02-000000002D02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.660{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC42-61FC-2C02-000000002D02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.661{7942A313-EC42-61FC-2C02-000000002D02}6888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.491{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB40310A8A8654544D9DB68B1D13CA5,SHA256=519EDD930C9360C499E18FF4CC3E404B30CF12D9A8EA1259D22187DB570F3436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.491{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56DE457966A7EACB993130F032590CE8,SHA256=3AA775ACD330F06B5975619CC99C6DFC2EFAEB06E6B246DAFE5202740B8CA756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.209{7942A313-EC41-61FC-2B02-000000002D02}67846796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.091{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3809172408064408BAA6D1184F511E5E,SHA256=672FA34C3F91C1DAE317C1C5769548C2F609644DEE639B1D9B4F42576A2E8CD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.773{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.758{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.758{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.673{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEB40310A8A8654544D9DB68B1D13CA5,SHA256=519EDD930C9360C499E18FF4CC3E404B30CF12D9A8EA1259D22187DB570F3436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC43-61FC-2D02-000000002D02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-EC43-61FC-2D02-000000002D02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000126924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.504{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC43-61FC-2D02-000000002D02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000126923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.507{7942A313-EC43-61FC-2D02-000000002D02}6820C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000126922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.104{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01B3468898278850152EA89EF272DBCB,SHA256=8818203C7A7F70A8F0A4AB7C724B85AA23E9EDD79D9DA3DD80011380BB0D52F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:06.988{7942A313-EC42-61FC-2C02-000000002D02}68886828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.776{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.776{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.760{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20423A856D98584B777410F6F3595BC0,SHA256=6F2C8A34957F7FC84316CB1A00031EBDA0A7D201CD1C062DD75BF9F77CE14C0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.608{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.608{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.608{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000126940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.261{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53725- 354300x8000000000000000126939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.251{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local63577-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x8000000000000000126938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.251{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local57794- 354300x8000000000000000126937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.210{7942A313-E05A-61FC-0D00-000000002D02}892C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49352-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local135epmap 354300x8000000000000000126936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:07.210{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49352-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local135epmap 23542300x8000000000000000126935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.105{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D953EED1BCAEC437377563FE1507B79F,SHA256=D5BFE7F240597F01C2E90434E494B030E6C6D5D3D5F48AF28C32B5EB2C8DD1F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.364{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000126949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.117{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49353-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.116{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49353-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 23542300x8000000000000000126947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:09.107{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC148201F847D7FF5053095EE1E6AAD7,SHA256=9210AC45EACFE5AB9DFB8F0DB6651F99347B1406466D43627665B24C04671BF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.966{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49355-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:08.966{7942A313-E06B-61FC-2B00-000000002D02}2940C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49355-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 10341000x8000000000000000126955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:10.147{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB76-61FC-0D02-000000002D02}92C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1dcff6f|UNKNOWN(0000030796427DA4) 10341000x8000000000000000126954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:10.147{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB6B-61FC-0C02-000000002D02}4040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1dcff6f|UNKNOWN(0000030796427DA4) 10341000x8000000000000000126953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:10.147{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB4A-61FC-0702-000000002D02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+114265d|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1dcff6f|UNKNOWN(0000030796427DA4) 10341000x8000000000000000126952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:10.147{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB3C-61FC-0302-000000002D02}5216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e21cbf|C:\Program Files\Mozilla Firefox\xul.dll+11425b6|C:\Program Files\Mozilla Firefox\xul.dll+e1e70d|C:\Program Files\Mozilla Firefox\xul.dll+e032f0|C:\Program Files\Mozilla Firefox\xul.dll+1f8e5f2|C:\Program Files\Mozilla Firefox\xul.dll+1a1e9ee|C:\Program Files\Mozilla Firefox\xul.dll+1a20aa1|C:\Program Files\Mozilla Firefox\xul.dll+17ab6f0|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1bd2c09|C:\Program Files\Mozilla Firefox\xul.dll+1bc94df|C:\Program Files\Mozilla Firefox\xul.dll+17ab911|C:\Program Files\Mozilla Firefox\xul.dll+16de97a|C:\Program Files\Mozilla Firefox\xul.dll+1dcff6f|UNKNOWN(0000030796427DA4) 23542300x8000000000000000126951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:10.109{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCDF88B8C993EE7DA5C39F15D5253E6,SHA256=83FDC7C39A1B263D2B5696B23BB9FFE70669EFB5F63E5C0045A01DE04ECAFCE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:11.110{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED9372BA582AEE594FFDC409D5EF8CE,SHA256=B140CBAA21CC9D0B7B095D80EE35338F296E2D2287E32A3FDC771B4C9957A32A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:12.164{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB76-61FC-0D02-000000002D02}92C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:12.164{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB6B-61FC-0C02-000000002D02}4040C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:12.164{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB4A-61FC-0702-000000002D02}2464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:12.164{7942A313-E82C-61FC-9101-000000002D02}49485116C:\Program Files\Mozilla Firefox\firefox.exe{7942A313-EB3C-61FC-0302-000000002D02}5216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+2c790|C:\Program Files\Mozilla Firefox\xul.dll+e20bcd|C:\Program Files\Mozilla Firefox\xul.dll+e20658|C:\Program Files\Mozilla Firefox\xul.dll+82b572|C:\Program Files\Mozilla Firefox\xul.dll+81f5a1|C:\Program Files\Mozilla Firefox\xul.dll+19ce137|C:\Program Files\Mozilla Firefox\xul.dll+16a3f81|C:\Program Files\Mozilla Firefox\xul.dll+19f62f8|C:\Program Files\Mozilla Firefox\xul.dll+96dd0f|C:\Program Files\Mozilla Firefox\xul.dll+2542e|C:\Program Files\Mozilla Firefox\xul.dll+18df38|C:\Program Files\Mozilla Firefox\xul.dll+18ce6f|C:\Program Files\Mozilla Firefox\xul.dll+43b2d41|C:\Program Files\Mozilla Firefox\xul.dll+441e889|C:\Program Files\Mozilla Firefox\xul.dll+441f679|C:\Program Files\Mozilla Firefox\xul.dll+1f91e73|C:\Program Files\Mozilla Firefox\firefox.exe+a16f|C:\Program Files\Mozilla Firefox\firefox.exe+1ca08|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:12.111{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D620835C07E7744D9B999E8F950BF4,SHA256=5566250D972FBFEE4605DAE48F3B632C6FEFC71D107AB16FBFCBA666C2BEB560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:13.111{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DEDBC2BF3727FF58C6E5BD7773F6AB3,SHA256=F900A8160AED485920DD335914ECE6E9F0977C55764CD420FFE8CB5F0D7015D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:13.469{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:14.129{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4887F5C3EA88DBF050514A48528E15CE,SHA256=7054DB65BE25170F4C0B737AF3488A718AFE88074B01ED5177BAFADE16CA9586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:15.679{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=1F9732D84E3FFBC9E94892BA00DB6DCA,SHA256=79082C6FF7E4A31204F01C020E1C88030F5066B8125FBB6D41ADAEF4D3658C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:15.147{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBDE01C42AEB05A9878A7C6EEC2F7D9F,SHA256=251A03F543B40D366AAFCC3FB34E51E57F9FBA5E70D8267DDBFF909E16AE9D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:16.148{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8576B9312E2A502636A5C7C1AEE32D4,SHA256=565C76591EBBC31BEC7A0DB2CC699144ADCFDC669F40AADFCBA80E4C50AAE602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:17.163{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3848633E88FE0898B512566BF2A494E2,SHA256=ED4501FE076507B59FC30746904531C0F2BF122B512DFA209DA984583C6F96F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:18.725{7942A313-E05A-61FC-1000-000000002D02}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=66E5D8C7F52A9AB83AC82DD5BC5D7D4D,SHA256=6DEBF7FEC64B374F1146570A8E211BEC6A6121A3F3579E3751DE7FE168CF7FD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:18.194{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E73728DFBF74299D24EB8BB704F94A8,SHA256=6AE50033BE84253C9DF276250767EFDFEB46802B65D7026A8CA28E9D6A052FEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:19.794{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5417F1FC96C50B2DD784D587D0565C8F,SHA256=33F14DC5913AAECC3B2B710B27EDCDE2CF8B3CE95FA198449A0011ADFBD3D5E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:19.794{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1CABA44A2646FCB54FA32ACB80DB3841,SHA256=93E49072F2F8581E89B4F14417E94335FCA998E59117D976F50EA9EE9EB8D19C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:18.583{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:19.194{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2D792A64B839BFC3EF35DA688700F9,SHA256=E2D2C05BC9D72985C2D4D7FA47539A0C469BA66E2A46E63584ADE213BD6D7A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:20.209{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AA07283040C3E075FB000E58742ACB0,SHA256=3005BE4CDB5182D8315696DCD58E3AC40B3F52FE4ED1C1170109E04CEF0F2E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:21.211{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEEE65BD961C7298949AA431E67E1A34,SHA256=D3328F6CF0B9D40885D6C49BDD3964FB538DFF9247CDA5D21B9566D9547E8A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:22.211{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11ED5B174B2D28E09D6B200B6316F956,SHA256=32BE4EF28F8A0B782725C0EFB888D9EF8F3F592A0752F181BD57FAD5C887829A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:23.880{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E053-61FC-0100-000000002D02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000126982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:23.780{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:23.780{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:23.247{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D54C2FC6902C67A555F484A42A44714,SHA256=71B21C7DFAC3EFF2295ED556F150EAF1FEFFA4FB637E33EBB0E06210978D2852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.794{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCFFDBBC9628F77925AD0CFE42CF9378,SHA256=E765FAD29FCFBCE9D99E3B9653B9B4A7ABACEDD4DDD3FCFF04B34A7DE85CCF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.794{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE247536B9F3A5092A391952E05E4F0D,SHA256=6C778F97AF45F10358200B68CFF9A2CB45E3B4C6B72D9A6EBCF8381298D490CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000126984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.248{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=892F5847DE0432B3E1620EA33E55516F,SHA256=E749DC806CE7210073B0295F93D658FD9B94A63F9EEB7CC448B71EAFE26771C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.242{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49360-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 354300x8000000000000000126992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.242{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49360-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 354300x8000000000000000126991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.151{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49359-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.151{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49359-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.141{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49358-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000126988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.141{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49358-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local389ldap 23542300x8000000000000000126987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:25.250{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FAB9048B3AFC8DA94DFE36328606D0B,SHA256=0D9B45AC6417BE756CFB40F6EF517A0169048D71237F5522AAE21D92C2DF4F9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000126998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:24.468{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000126997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:26.251{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D87834871C249FE81CF257DB60E6FC,SHA256=959DE05D7F8EC81370C519C8F30389AAB7BC301C80BDD76DF129A190B349AB24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000126996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:26.097{7942A313-E05A-61FC-0D00-000000002D02}8924144C:\Windows\system32\svchost.exe{7942A313-EAED-61FC-F901-000000002D02}6080C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:26.097{7942A313-E05A-61FC-0D00-000000002D02}8924144C:\Windows\system32\svchost.exe{7942A313-EAED-61FC-F901-000000002D02}6080C:\Users\Administrator\Downloads\Procmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000126994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:26.097{7942A313-E05A-61FC-0D00-000000002D02}8924144C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000126999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:27.266{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7300AF3A2D7E564440B0CB1EC98B560,SHA256=88C3BBA3C4249DA5E9E7DEF4BD53F6DCDFBD17174158228CB32EF1FB02216496,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:28.268{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05062E17A11198388806083C18BF633,SHA256=DA3486C49600D767FDE96139F8A3103AB01CD1D76121151725BF8A34EAABCF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:29.269{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B071BDFA9F9D511EFC03B737AE44C981,SHA256=AAB8B3FE1196141F548ECA47D353583F96A845F2D5E9D52829CCCB68627ED3A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:29.510{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:30.283{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3504C868F940F0B10C1C578BBB6968FD,SHA256=169DF103D8EBD6BD33438E88C178CDFD35344632F03CD1EBCBFDDF9D1C945737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:31.298{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900EDB13B63DACEEC3784A5F5FB1DC9C,SHA256=B0BEEC69635CE10AB491913D99261A6BC23B7C33C7A40C62604EF7AB72E14534,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:32.301{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50D923A2AE2C20AF9271FE7131210F4E,SHA256=0D2B03DECDE3AE8FA1E91998F978E0E7AB1E59A4781C52E1AF1955DEFE66090C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:33.301{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E9EFF6A6FA77D651390C4720D750E4,SHA256=9A1D3A2AD15666215282C17A05E16A971D11B75EAF0D50D2AE797FFB653683AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:34.301{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6859CD80A95973F25B4B99A91F232DB3,SHA256=2F1FD7CE73FAAA36FFE4C6DBAFABBEF6888D41F41CD5F3C967D756B8802313EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:34.186{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=0BF83B536155FD22901C86D8CAF96FDD,SHA256=7EE091EDDB8F1B38140DE8B53130B9E651CF189DDDDC10351C88B88A6011A1FA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:34.590{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49363-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:35.654{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42224BDED5E0828DD26D4C06DD81C554,SHA256=700E147367BC793FD57C43853E9E9F3B7C3B391FADBC490E4E91404CE3390860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:35.654{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCFFDBBC9628F77925AD0CFE42CF9378,SHA256=E765FAD29FCFBCE9D99E3B9653B9B4A7ABACEDD4DDD3FCFF04B34A7DE85CCF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:35.337{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C149C82D8C659B9EF8585D69F1711F39,SHA256=036F01444BDE4F7E62B603CB9C17625C4D5176C775B3C0FDF0E80A4CBEEBB461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:36.753{7942A313-E06B-61FC-2C00-000000002D02}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C26B02D61C9CA11B62F56EF590BE2EB,SHA256=776E31D58FF579022BC8020FE9592BEE5F30D4F4E31843A0B71240D3BA40BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:36.369{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E572F97AF73A569025A770F57ACF6C73,SHA256=30ABF9C3E22A4495ADB944725D4647A25597A378FB7E83B7AE5393BD65F23521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:37.399{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29184C80F356EAE64554F57155F71635,SHA256=1F627B354CB24F47ED886EC365EB2EBFD00295995830B615FCD6A4D487C6C411,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:38.400{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C2004AA3A76376CBEA8E988C61AD17B,SHA256=3CA95FACFADA838EB8DAF398B5E73FB358C58D2AA418E07F8F5FDF8E12F0D817,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:37.089{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000127018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:39.433{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1EF8EBC510D1D197F2F4E4DD8C35434,SHA256=0A7B7449D10B74F0CB4C675AA7B45620475A7CBB7DA7026137BEFE07BFFB5C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:40.447{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6C6FEC4D64E0F22612E8BAD51356C6,SHA256=2F875D7A108D3D43487107BE3F28686C020E93B9232F20B152F2CB229B2B6669,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:41.464{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7AED18DCA80FEC82FCEC8C222FE92F3,SHA256=E63DA9E8A4DFE0BAFB53E9709099D848CFC7455B484E006290435638F80BACEE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:39.609{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:42.465{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D75DA2F723944C3AD42BC7EF74BC0FE,SHA256=89479F78BB451B1B04CDA8DBE193D16F72DA3D3E74D61572E73D30EFDA4DB72D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:43.466{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23CFE3347A825D22D613302B1C0E38E9,SHA256=755E22C64CC92E89309B5B22617A1C37E9886798DC2AAD7B4B275A33E2AA273A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:44.964{7942A313-E5D0-61FC-3501-000000002D02}41684264C:\Windows\Explorer.EXE{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a20|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8005BC58FF8)|UNKNOWN(FFFFB49CA6EA5B48)|UNKNOWN(FFFFB49CA6EA5CC7)|UNKNOWN(FFFFB49CA6EA0351)|UNKNOWN(FFFFB49CA6EA1D1A)|UNKNOWN(FFFFB49CA6E9FFD6)|UNKNOWN(FFFFF8005B970503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000127026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:44.964{7942A313-E5D0-61FC-3501-000000002D02}41684264C:\Windows\Explorer.EXE{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55501|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8005BC58FF8)|UNKNOWN(FFFFB49CA6EA5B48)|UNKNOWN(FFFFB49CA6EA5CC7)|UNKNOWN(FFFFB49CA6EA0351)|UNKNOWN(FFFFB49CA6EA1D1A)|UNKNOWN(FFFFB49CA6E9FFD6)|UNKNOWN(FFFFF8005B970503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:44.964{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF2f39f7.TMPMD5=668C4BD8A2ADBDC1F9D4A5E47B42838F,SHA256=1F2ECB804BEA7F0A777944762722A15A2AB97236216887DCDC1F909A700FED39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:44.480{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0A9705F0A4BEB261F8AB8010491069E,SHA256=026CB3E70DB4992BBFB156786F0A4681AD6F7D4745E6F8ECC407EE77D23510BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:45.496{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFFDA8DD86F82EBB0A6B04358FF7164C,SHA256=04B20704E2A748835F9E207415C292E2D8D100618E1A81B799A13B001BB5AA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:46.511{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BAF209E174D7C53AD0573351FA0AC8A,SHA256=EE8C6D41A86FD6B12356C0ED9B14939949E7F51A2ECD6857D8E91EC185C754B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:47.525{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C0A9C5502E81EC193259D3070DCA6EB,SHA256=B73C978885E3E81AC97F2E3D29B0DB152C73920A9CB9B17C729742562471FE2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:45.583{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:48.545{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0366C3996C10009941734BAE3021B42,SHA256=704A02CFE084C45414853F1AD7226A77D3FD33E6BADB835CB76A63B5EBAAEC04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.827{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73497B2F057EE71622F2B3BEEE32FE1D,SHA256=EA40CCC57D7CE83D11CD17C82084E9B5BF07F3EA1689112EB559D635A37C964A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.810{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42224BDED5E0828DD26D4C06DD81C554,SHA256=700E147367BC793FD57C43853E9E9F3B7C3B391FADBC490E4E91404CE3390860,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC6D-61FC-2E02-000000002D02}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-EC6D-61FC-2E02-000000002D02}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC6D-61FC-2E02-000000002D02}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.764{7942A313-EC6D-61FC-2E02-000000002D02}6624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.579{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C065025E71E4D15CC24EBB5C02D0A231,SHA256=2983E4B811AC99155BC548371BDF8C4EC7581BA20A410F8E8A158CFD60FD4F0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.785{7942A313-EC6E-61FC-2F02-000000002D02}66486872C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.595{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CC46E666F3370B54DBF9ECF6A8DD7A9,SHA256=1B01859F8910956421AB683B5FCC4C13CEF45F5B6AFB3281595BC41A65DBE7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC6E-61FC-2F02-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC6E-61FC-2F02-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.527{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC6E-61FC-2F02-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:50.528{7942A313-EC6E-61FC-2F02-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000127045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.152{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49367-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:49.152{7942A313-E06B-61FC-2300-000000002D02}2744C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49367-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 10341000x8000000000000000127065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC6F-61FC-3002-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC6F-61FC-3002-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC6F-61FC-3002-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.985{7942A313-EC6F-61FC-3002-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.600{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=467133EBD3D7C7922642F5BC5EC95590,SHA256=5B48268780CEB2667F396FBF4C110DC894C65360CC697FB60C0D656454E55EDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.551{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73497B2F057EE71622F2B3BEEE32FE1D,SHA256=EA40CCC57D7CE83D11CD17C82084E9B5BF07F3EA1689112EB559D635A37C964A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:52.995{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6E6BE457EDF29AE7FB259FEB23BA291,SHA256=DC2D9CA898DCAE4D3C75D191EC70338C88E333C0C9C2F4E3BA113ED96527C633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:52.930{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\respondent-20220204081438-049MD5=E4EA031637ACBB6F47BD231C2E2E1E96,SHA256=5C6E1C437BF72BDE074F4E51EF9D1792A62DAB991F745007C61C3F065E9CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:52.627{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC53F9F93D700046EFD7E891A5FF6C81,SHA256=55126DA1BDBC5ADEF3C54A9992D14C60D4B9871B35A636EB7BFF850027C202EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:53.943{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\surveyor-20220204081435-050MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:53.645{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CC1D47DFA246C684D3C43A986B9D466,SHA256=C2E4ECC7412B8564EDA92300811E72406B17367ABAA13B1534DE5289FA709A8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:51.427{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:54.664{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F50403A40EB52C3CA65D607496817AF,SHA256=D88187E43C88037C9625E972F5863A62ABB5EE82BDCF4B88740ABC6FDFDE98F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:55.695{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48158599E71061780797E8FE627AAE5,SHA256=75D658F41942548FD58A9FB9302220031B60A5DDD7E55E8F8983699AC51D03FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:56.709{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29E0E904F206BEF53DF14E8403085BD9,SHA256=2D2AFA645BD51C1A3DD4B133C8A280195E9B38AEF9B12A59E84E947D7A507FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:57.726{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26FB7C9C0D37FD47E6D91447A5A9CBC8,SHA256=11D5CD3C687BA777EE2833A196F3DB5A5A054D4C886ACFDC9FF5CEECB5624D18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:58.744{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3701A0647B1A7CB846110AFD0804E6,SHA256=5629051E38FCD1D56FBE222735C9016789F11BA936D4363C213FF3C9480B3F7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:56.597{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:05:59.748{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA506B84EE07F0AF7E4B0EA634B57BC4,SHA256=64EAC5E93F9449455C13DD8E1451C9BF1CDFB4B056CD2AF76D1DEF6225E300B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:00.767{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A842079BD0A9E55855A835861845A51D,SHA256=4CBC10D9C5618DC4196DC3AC2B36617CC1BDF9207C4A58C24DB947F28CFC163F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:01.797{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D65C910600FA826DA4FFE7255169B7,SHA256=C638EEE060ED808C1C2148FE168D4D8A8A6EE7118F1A490B552B23FEBA4AEE4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:02.828{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC14E69D892EB6D0B1531BA88D2590B9,SHA256=C86FDEF67FC4927D629789F8C93A1E4750B52F00D3377E099E6816952E02CDBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:03.864{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF92D598B38A609FDD1BBA9572924EA,SHA256=4A21877268297BF7D3B435751684DFD717E93964251117C203DFEF6CF778DF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:04.895{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8AB4B3F8B35A093D76318D81EF66FE0,SHA256=47BE2FF91CFA0A9757366AF0E874F449291D00E535052D2F0B65AD18B6925AE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:02.568{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000127102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC7D-61FC-3202-000000002D02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC7D-61FC-3202-000000002D02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.938{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC7D-61FC-3202-000000002D02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.940{7942A313-EC7D-61FC-3202-000000002D02}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.922{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFB94D993698D3B8DD920C26E9113C4,SHA256=41E885152BD78A47A32D49C83968324DDA66393DE9B7C64D023ED0BDC53D4352,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.681{7942A313-EC7D-61FC-3102-000000002D02}66326636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC7D-61FC-3102-000000002D02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC7D-61FC-3102-000000002D02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.363{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC7D-61FC-3102-000000002D02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:05.364{7942A313-EC7D-61FC-3102-000000002D02}6632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.940{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4560B2678AC91D798287649C9B9E67,SHA256=96EA503FECEBC572FF58B6CE7C6F0AA26D5468CC6A356614AC70B22908459A46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.871{7942A313-EC7E-61FC-3302-000000002D02}63327104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC7E-61FC-3302-000000002D02}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-EC7E-61FC-3302-000000002D02}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC7E-61FC-3302-000000002D02}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.554{7942A313-EC7E-61FC-3302-000000002D02}6332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.369{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BE806BFA17BFBFB4488D06B5F216036,SHA256=BD04FEBAE5055091EDECB1EC0B8520D535607BABF2582044C401515E9BB6C05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.369{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C371836AB3ED5BF397BE09AE94C9B7,SHA256=E3D7520ACA2DD11868E6E120309A8AE407D734C4FFCB58C1BBB51D772BDCDDF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:06.253{7942A313-EC7D-61FC-3202-000000002D02}31647136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.955{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E9B8438F932EF56833C89829AE92CD,SHA256=631DA409617FAAB192C27B94D2AC3FAFFE831F80E2769513AF5469FCCB9B0D21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.557{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BE806BFA17BFBFB4488D06B5F216036,SHA256=BD04FEBAE5055091EDECB1EC0B8520D535607BABF2582044C401515E9BB6C05D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-EC7F-61FC-3402-000000002D02}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC7F-61FC-3402-000000002D02}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.425{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-EC7F-61FC-3402-000000002D02}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:07.426{7942A313-EC7F-61FC-3402-000000002D02}6376C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:08.970{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687ED7E67F259904BEF24AFFF3F4C037,SHA256=DDCC84BE6845FCE9A2BD3A8D5F1B31D9B60538D4594E6117747DF90A328E10E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:09.985{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FBCEFC0BADD2172CB4D3BE8A25355B1,SHA256=C295EB43D94AC9A182886A78BAF40596A052C18414E67EAA2806C6D6BC19760B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:10.985{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2732CD548FD7F99C9CAB1031012B23,SHA256=526857214018AE3E95F7D92378E0A4CC308A66A0B682C28E5FDA03CD00A90E25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:08.504{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:12.032{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8894312B9B1DC4745E46F4347729CA12,SHA256=B1C980835AD5A083CAA154A55321EF0E3FB7473346F3DB669C05327135FEF50E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:13.832{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=163AD2E17E5164F62F77D8910F585F79,SHA256=6D9BA43D879786079351BB46903E5E9FF73EAEF73CAEE142DB5CE3E3A0B72A2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:13.032{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82401213AD0593079625EB552A147EC6,SHA256=383CD896EA6FF0B9A1C39C17AAFC16066E643B1C013DAFAB7CFD470D2A8A78FC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:13.540{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:14.032{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F008E435117A4191EC800FD2107C93,SHA256=4460B69116B2A7AD5755AF94F9B03007C7521836B1F150BF28EEE835B051A0B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:15.053{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171FF49AACFDBA188855830AF32E1196,SHA256=8C06182050B05521C495B73CCDD2CE5DC24B153F5894152F372092DCB1FCE594,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:16.100{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB2399E81517BB0BD6031782986CABD7,SHA256=D0A5DE9FF6FD02980715751FDCB89744422FA3386BEE2AF911710EEC3B98B216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:17.101{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A94FFFB9673832EFA4F9ED525A5C373D,SHA256=5209421105B02F59419D385D3780C3B5A17D3E7FFEEFD50D0545FF9774405725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:18.732{7942A313-E05A-61FC-1000-000000002D02}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C1AF25A81C28809FF9145AC49016C4E9,SHA256=A07B46FF61593D039323C73F3C633F88270579CE798A9F37A43DD257900E8212,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:18.132{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CEF977B270F1B9B6C48F247551A60B,SHA256=445E286D80D5BB323EF08E939349693ED4269B85D7A85137866498BD8FE0E213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:19.169{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5F8750558082863315DC25F2406BF3,SHA256=78B5337E7161E19630B9B19E257DF7B340228472D1636BE56F832C7759AF395D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:19.505{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:20.199{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8D71EA7A58500888EE4D4F3BBB80AB,SHA256=C42C494335CDC312A2FB46141F01D0A299E800C0C414C20DC456E57753113AE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:21.199{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=966145F2DABF175B8E0A003DF5BA72E6,SHA256=F35C3A80F7035D1C21C111ED1BE6CA461CCCF2C7B52B72FCFD3452EB8F7E3227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:22.214{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DD7EB269FFB4C8AFA76024AE3CA9761,SHA256=769DD49FFFA8FC6D216C220A0563F7CE696BA0725A92605ECCDE4CCFE9DB51FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:23.229{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0271EFFF7BA568E2A6469F6708EF5117,SHA256=0CBABCE3DA868F75BCF6344B7E570D6D2B1D4BA149569DCFF287B76554A87566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:24.248{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09EC7E65CCAA7EF74BB715E8541E47DF,SHA256=49D777565EDC66B1BF261C33C47426D2A5090A21FE916C9C9C9040B39772255C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:24.521{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:25.267{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51283FF5503EE81F043F5427E1F03B51,SHA256=8F8AC4237C772DAFC48B94673187B699C0936B12F61F919946BA533086BD5B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:26.282{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC0D649F9C47E92B17A9B3AC3D1107D,SHA256=D0F7AA7D02591F197BD373C519B8F8C5943C5FAC7E01F7B572CAD4763576B51C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:27.297{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738C50EC4032D1123B4812E13E2A4E39,SHA256=F26A707DC3FD55924915D414C6792DBFD1CCBAC66EEE89AC2D908AC1A6DFE13A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:28.328{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F25201EAC04BFEF26E5598DCDD11CE7A,SHA256=3FCEFC5AAD73E5DCD1DEA33A2295452DD2CCB556FB06875FB4756A27AFBE5773,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:29.349{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C80354BF35C5104BEAAAE4CBD332C6F9,SHA256=FE1F891E7A08C0463536A6A830E92A825DF527218BC717DE891D1257B5FC073B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:30.381{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E3BDA91FB6D11C1B87DE9568C75C9,SHA256=5AB93E537B659D893AA30F6E0648A515D50B6C82E09309A8A13A358F6D1E27E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:30.550{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49375-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:31.383{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE406A9184CB5859B49480D6FDBE7AA,SHA256=CFAEA405CBD72FCC5DCBE5DBBB7766FCFB65C8B9AFA5069EF626E44E22B59EB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:32.814{7942A313-E05A-61FC-0D00-000000002D02}8924144C:\Windows\system32\svchost.exe{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:32.814{7942A313-E05A-61FC-0D00-000000002D02}8924144C:\Windows\system32\svchost.exe{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:32.414{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7499389FAC9C8EAB6C71D43107D551,SHA256=2827CF1BA0FF83569581207DAE532C03E43C7A0FBD913482855F20C99B56739A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:33.415{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C92C5E58FD3B1CAF14F4077DDB9B76,SHA256=E59547A63114E59A2955A496919F31D7E652FE4190C8A4D2192A9E1E57DEBBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:34.415{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C19FB45942BEB4917587286F6D63B1D,SHA256=B950F17C2DA6733E26B4E9929F889D9CE4D40CF8C5B3DBF6979C131C52B7E169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:35.415{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB4B8E084AF2D89D8B20EFE792202CE2,SHA256=1409882AF815E0B39113F1D9939702E589E57838CC03FDE9FED6D57173A48393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:36.784{7942A313-E06B-61FC-2C00-000000002D02}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C26B02D61C9CA11B62F56EF590BE2EB,SHA256=776E31D58FF579022BC8020FE9592BEE5F30D4F4E31843A0B71240D3BA40BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:36.430{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89942BADF6BC2E9492E9FAB97E4F2B9,SHA256=4A8A0745AFABB12005E77B16B91133CAC9530243C4358903A9C955A19F164D6F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:37.122{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000127165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:36.584{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:37.450{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FE962F9B85C194D29FED664B725DA2,SHA256=4711B2708219371040AF0BC8C19BA22E6CC497AE97F9EC03A3DCE67F1917D40D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.954{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC9E-61FC-3502-000000002D02}7000C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.953{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-EC9E-61FC-3502-000000002D02}7000C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.933{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.917{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E053-61FC-0100-000000002D02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000127173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.901{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.901{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.901{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.901{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.901{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.832{7942A313-E057-61FC-0B00-000000002D02}6323300C:\Windows\system32\lsass.exe{7942A313-E053-61FC-0100-000000002D02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+758de|C:\Windows\system32\lsass.exe+38f4|C:\Windows\SYSTEM32\ntdll.dll+80a34|C:\Windows\SYSTEM32\ntdll.dll+1e8a2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.484{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B79B1CF022E0A47E980D8147E576340C,SHA256=51FA6F3A9DE1ADAEA700A28E900948232A093AC90EA5CF12C7C133AC7338793E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.888{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E73F3B1C4FAB3912CAEE7A3A241623A4,SHA256=74B2A73E27A459358EA71AD63460E9D39BD995F7557CFACF73F45333145B6FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.876{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E798EFCF654903F9269EABC393FB3D1,SHA256=229BA8AB562D6E11503E68B3C48BC31CF78CA400897E062D3F9BA0B057CC5226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.710{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B12A116B2448B93591B788DC80868D40,SHA256=4318F843902D8D2D76A1FC16F80CD02E055BA8FF8DD6E2F3C4A7FD4C84D49854,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.688{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183D5478219C253C8147F89ED5CB8047,SHA256=42370A248928DFC9D51ACB8631270A452BDD42080AD04A52A85C83260A8D24CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.541{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.541{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.541{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.441{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.279{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1500-000000002D02}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.279{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1500-000000002D02}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.279{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1500-000000002D02}1228C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.210{7942A313-EC9F-61FC-3702-000000002D02}70287072C:\Windows\system32\conhost.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.193{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.193{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.193{7942A313-EC9F-61FC-3802-000000002D02}66366892C:\Windows\system32\cmd.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.199{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-EC9E-61FC-D67C-1D0000000000}0x1d7cd60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-EC9F-61FC-3802-000000002D02}6636C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-EC9F-61FC-3702-000000002D02}70287072C:\Windows\system32\conhost.exe{7942A313-EC9F-61FC-3802-000000002D02}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.178{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC9F-61FC-3802-000000002D02}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.162{7942A313-EC9F-61FC-3602-000000002D02}67287016C:\Windows\system32\WinrsHost.exe{7942A313-EC9F-61FC-3802-000000002D02}6636C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000127194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.171{7942A313-EC9F-61FC-3802-000000002D02}6636C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-EC9E-61FC-D67C-1D0000000000}0x1d7cd60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000127193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.162{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.162{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.149{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.117{7942A313-E05A-61FC-1400-000000002D02}9641412C:\Windows\system32\svchost.exe{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000127189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.102{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.055{7942A313-EC9F-61FC-3702-000000002D02}70287072C:\Windows\system32\conhost.exe{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.032{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.032{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.032{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.017{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-EC9F-61FC-3702-000000002D02}7028C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.017{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.001{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.001{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.009{7942A313-EC9F-61FC-3602-000000002D02}6728C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-EC9E-61FC-D67C-1D0000000000}0x1d7cd60HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000127179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.001{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:38.970{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-EC9E-61FC-3502-000000002D02}7000C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000127228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.801{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lrnpory2.s2v.ps12022-02-04 09:06:40.801 10341000x8000000000000000127227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.770{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.762{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.577{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1347834F76BB4362343D971578BF2B5D,SHA256=734FA0C8C94FD2B7DD931AE012A2DA61C073438F3B1B15BBC5C0BD81CA1CF5A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.571{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A557DBD065D1DB32AFB5EB2CE29B8DAA,SHA256=133839E2AF589ABCFE3606A85600AD0C1710523786672A9E252A6562A762F42E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.025{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DCB861929C6D6CBEACCF7F0FE759198B,SHA256=F7655A6E84376BD5480180DB2EC990E0438E8A82AC5B5BAF169991AB13642D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:40.025{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5417F1FC96C50B2DD784D587D0565C8F,SHA256=33F14DC5913AAECC3B2B710B27EDCDE2CF8B3CE95FA198449A0011ADFBD3D5E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.126{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50444-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 10341000x8000000000000000127265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-EC9F-61FC-3702-000000002D02}70287072C:\Windows\system32\conhost.exe{7942A313-ECA1-61FC-3B02-000000002D02}7092C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECA1-61FC-3B02-000000002D02}7092C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.909{7942A313-ECA1-61FC-3A02-000000002D02}71006524C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECA1-61FC-3B02-000000002D02}7092C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2780099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c034f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c0312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e26cb45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1bc009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c23b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c05b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c05b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c059b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1bf66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c03c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c037e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c034f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c0312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e26cb45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1be83d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1be794a(wow64) 154100x8000000000000000127258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.911{7942A313-ECA1-61FC-3B02-000000002D02}7092C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-EC9E-61FC-D67C-1D0000000000}0x1d7cd60HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000127257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.893{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.893{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.893{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.805{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1FFC59F19DDADFC04FA4C319C3AB5730,SHA256=56E36D0E4A8399CA3AF0D0C334D9DD13E61AA42337F51FF5A1DCFBB397E8B981,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.738{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.737{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:41.625{7942A313-ECA1-61FC-3A02-000000002D02}7100\PSHost.132884392013590687.7100.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.608{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28448DF38054B7D10F9A89BF3D9601A0,SHA256=9C70CBE6AAB484F47C599670B9CB895E6F4B4EFFCC1C0300454E3F76DEED9E23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.592{7942A313-ECA1-61FC-3A02-000000002D02}7100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_crw00ef2.5g2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.592{7942A313-ECA1-61FC-3A02-000000002D02}7100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_onn1vfyz.vhw.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.578{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_onn1vfyz.vhw.ps12022-02-04 09:06:41.577 10341000x8000000000000000127246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.449{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.449{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.403{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.368{7942A313-EC9F-61FC-3702-000000002D02}70287072C:\Windows\system32\conhost.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.366{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.366{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.350{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.350{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.350{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.350{7942A313-EC9F-61FC-3902-000000002D02}71326456C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+367c51dd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48636(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48271(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+3671059f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c051e3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c68c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c4ac64(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c4ac64(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c4aaf5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c3b815(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48d57(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48924(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48636(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c48271(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+3671059f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c2d51c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+35c2ca8e(wow64) 154100x8000000000000000127236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.359{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-EC9E-61FC-D67C-1D0000000000}0x1d7cd60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.271{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.271{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-EC9F-61FC-3902-000000002D02}7132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000127233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.272{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49378-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 354300x8000000000000000127232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:39.272{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49378-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 17141700x8000000000000000127231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:41.033{7942A313-EC9F-61FC-3902-000000002D02}7132\PSHost.132884391991994176.7132.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.002{7942A313-EC9F-61FC-3902-000000002D02}7132ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_p4yrrc4n.qwj.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:41.002{7942A313-EC9F-61FC-3902-000000002D02}7132ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lrnpory2.s2v.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.949{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A98C4A557AF9D6F885586DA61D18B68D,SHA256=2A5310D32A339412EABC8B00C4E279F9C622DE969D79AFCA241CA8460CE14FB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.726{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.726{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.726{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.609{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D1ACA60C16B05038D30AE567CA6802,SHA256=273E6D7B06FD821D115EE40B69054740E6B66497D1632681FB7CFCFC66CA6BB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.541{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.356{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E73F3B1C4FAB3912CAEE7A3A241623A4,SHA256=74B2A73E27A459358EA71AD63460E9D39BD995F7557CFACF73F45333145B6FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.732{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=946C483D77B097EC4B357A50CC08C971,SHA256=C7D4D69E40B2125BBE6EB740C43F49D54882014CD241ABF0F0BA45301FFCC6F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.648{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.632{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C19D29013751B757A797E71CE53B648A,SHA256=632B30A25D418AF385E9A5A8728B178C6B82C2E33C55BF560D37233A85C0904D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.500{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.484{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.431{7942A313-E05A-61FC-1600-000000002D02}12646808C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.416{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.385{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA3-61FC-3C02-000000002D02}6704C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.385{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:43.147{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B684E19E366A4D45BC95F651D0424767,SHA256=5D74CA95F09B9D477697B45DF62155D27EE2B9BB1504D4FDEF38513614DFD332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.640{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B4C9ED8C92BF62A798BD9734BD9F481,SHA256=463077D124FAFFDFA9BF9F221BFDB320A4014A7D3EAF59236D5BCD1760F47613,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.355{7942A313-E05A-61FC-1600-000000002D02}12646108C:\Windows\system32\svchost.exe{7942A313-ECA4-61FC-3D02-000000002D02}6796C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.340{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA4-61FC-3D02-000000002D02}6796C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.308{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA4-61FC-3D02-000000002D02}6796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.308{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA4-61FC-3D02-000000002D02}6796C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.224{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.224{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.224{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.193{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000127293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:42.533{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:44.001{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0DC1D5E6AA4F544FFEFADB7143DEEAD5,SHA256=3D63BDDBE0F669EA3D0426C100414D0F6FD03590A638BBF6809851BB88BA5CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.661{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C441AA7568D83E30CE9439BBED3F23AC,SHA256=0AE9957158C32F39D5F0C4DC00E32806724FF20AD7009ABBD13349410F15A56F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.560{7942A313-ECA1-61FC-3A02-000000002D02}7100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\SchCache\win-dc-tcontreras-attack-range-492.attackrange.local.schMD5=3B3531A335298119AD90D9B9BEB810AF,SHA256=77996876B4230A7DFCE13A77C0AA2E3B969AFA2A4562FD8583B6DDE3742EB2AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.514{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000127313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.514{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000127312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.509{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.476{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.461{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.461{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.461{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.461{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.461{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+203da|C:\Windows\SYSTEM32\samsrv.dll+6141|C:\Windows\SYSTEM32\samsrv.dll+6042|C:\Windows\SYSTEM32\samsrv.dll+1614e|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.330{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2E8D8B0CC1C6255848A450BFA5666BC,SHA256=990323074D7F1F9C22AF8014E2B021700AD1E3FDDF3FF98B98D51D924BE35E0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.250{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.155{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C3102C71F09B2D530FEADE86628E5185,SHA256=0FAFE0795929588BCE18EEB80947DF09D72C6BCD1F258D6C4A2CD7C4EA4BA3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:46.914{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\acpi.PNFMD5=300F76ECFD5C7CF0CBFBDCD692C8DD23,SHA256=B87D5CA6E8EDEADDF92DBC66FBD6FAEB6B77719FDFCDB22BA6D5A5BF8BB32722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:46.677{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAF49DB1CEFF8C8BC2FE9CEBA8ECCB1,SHA256=4AA861D23F7B14D85DDE9DFFA927F6F5504E33D66FE56B3302985DA2AD924614,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:46.493{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01D264763266DDD8EAC233D37318B364,SHA256=B9A890AAF3BF06AD04B8275116008A8B1C486E6CA83DE9B6CD740CD53127A0EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:46.030{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=081BA7621B985FACCA8527C4E6E0F612,SHA256=41A2D71426940F8FE8A760F6EEE76017CD2B198EA842987784114AB84FD168CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.863{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8E73FB947736E86138BB5E9FBB6F147,SHA256=AB921E4AE954BC7290CC2C38D697E30D8B6AD34687DDC0599F9ED5B9D0B19801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.816{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.816{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.811{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.778{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.778{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.747{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.715{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6D2FE73CF698EEE5A98CF0F120F5974,SHA256=9ECA58E78E9BE8BE9D45AD38ED87927D31A1662406631A52BEECB0C91476D1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.678{7942A313-EC9F-61FC-3902-000000002D02}7132ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.594{7942A313-ECA1-61FC-3A02-000000002D02}7100ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.277{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.232{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\volmgr.PNFMD5=F4034B2AD0F7AD97DDFC095E097527BC,SHA256=BA372A7D3B5DFC683D309B4FAFD9D880F8777CF7ABBD79D19164F492E5131B07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.875{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49382-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.875{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49382-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.862{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49381-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.862{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49381-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.844{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49380-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.844{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49380-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local389ldap 23542300x8000000000000000127331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.214{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\vdrvroot.PNFMD5=54C1A0DC3E666E5F6C82D4ABB13BE99D,SHA256=0678C21481A270067CF83014B4AE4B66D8E1E7C2769CA878C6D8EDAA10F50A30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.192{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\umbus.PNFMD5=8DFCCFCBD7DD190AF70237003735A5CD,SHA256=DB61AB85125C68279BAE8A064A91DC19566BB63A173F00A23AA8155311925A01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.161{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\swenum.PNFMD5=D60BDCC03FCCA36DC433CD64C7159669,SHA256=201B4BCE252EF559545B9786046C8D9AD40BC82B9423E13AA0511A63458FDD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.145{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\spaceport.PNFMD5=66ED5D5E70F0A7988A02E2234752B7D3,SHA256=316AE853F79F84F8F63A1BA9C6235254F4616B739F5DB71005CC99B841E59B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.130{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\rdpbus.PNFMD5=734C6471ECAD9B8F1BCE06BC9ADF37BB,SHA256=9CC9F7B26634AB656650E3C84CFDE09B3602C0AD7CED1D487E788B179E19C293,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.114{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\msports.PNFMD5=B4480C8789E921F1708BF0C3564F168D,SHA256=6D9C43E07B621BDE0392DF297F70A4D3D6B3C49600404AEBF2BF8DEDCC35835E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.092{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\mssmbios.PNFMD5=A7EF7CC62FE6C3574A95DAECA86EF981,SHA256=66300915131F3E68C422CF0F37B94145F98DA821D744082330C9EF78D9B51C7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.077{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\kdnic.PNFMD5=C645A1E4F020E3F13C3F25D95F315784,SHA256=7DB2205DF42A8B5C0ACDDB924B779DB95FCE5FA0BA2047E1D7FDB5C76301F4E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.045{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\wgencounter.PNFMD5=70D8D43081CEAFED6349096D5E09D490,SHA256=E3818F3E6E814245A4E385DD2D35E322296B8698EB6CE9FADF13CEA0FD7B03EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.030{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\oem13.PNFMD5=7E8D3BAC06721EECCDCF3E98140F6FFD,SHA256=CA69F705092EBD14BD743F3067988A80C1EEBBD6B8904356A6AAC78CC5A93A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:46.992{7942A313-E057-61FC-0A00-000000002D02}624NT AUTHORITY\SYSTEMC:\Windows\system32\services.exeC:\Windows\INF\compositebus.PNFMD5=2E5753A52A79B33973D76BF206943C14,SHA256=B473C16D71AD22D43379EDDA729555451806DB7B09DCB9A27B722FB850160A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.990{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73CE7C4787ECF2E14A966C28E440815A,SHA256=CF5386296D8B14178B9E8993EB9D73CE7E6F179B1515CF868C92ED941AB3426F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.989{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42F7E7A0DB1F2BB114BA383B0A25561,SHA256=8AD9D26E7C4791A244A5AF8BB027A23CD9CA5051314EA8BDDA8D1F5D24421BAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.924{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.924{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:48.855{7942A313-ECA8-61FC-4202-000000002D02}6668\PSHost.132884392085867095.6668.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.824{7942A313-ECA8-61FC-4202-000000002D02}6668ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3tmhltfg.jkk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.809{7942A313-ECA8-61FC-4202-000000002D02}6668ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1xknwazh.oet.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.755{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1xknwazh.oet.ps12022-02-04 09:06:48.755 10341000x8000000000000000127394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.708{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.692{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.639{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.592{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.592{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.592{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.590{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.590{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.588{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.588{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.588{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.588{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.587{7942A313-ECA8-61FC-4102-000000002D02}65446804C:\Windows\system32\cmd.exe{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.586{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECA8-61FC-4102-000000002D02}6544C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECA8-61FC-4102-000000002D02}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA8-61FC-4102-000000002D02}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-ECA8-61FC-3F02-000000002D02}64766532C:\Windows\system32\WinrsHost.exe{7942A313-ECA8-61FC-4102-000000002D02}6544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x8000000000000000127374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.570{7942A313-ECA8-61FC-4102-000000002D02}6544C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000127372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.554{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.554{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.554{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.539{7942A313-E05A-61FC-1400-000000002D02}9644604C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000127368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.523{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000127367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:45.463{7942A313-ECA1-61FC-3A02-000000002D02}7100win-dc-tcontreras-attack-range-492.attackrange.local0fe80::d08a:14f6:33fc:643b;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000127366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.183{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.137{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA8-61FC-4002-000000002D02}7096C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.121{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.127{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000127357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.117{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.098{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-3E02-000000002D02}6396C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.067{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA8-61FC-3E02-000000002D02}6396C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.067{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECA8-61FC-3E02-000000002D02}6396C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.051{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.051{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.051{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.051{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.860{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95783AD51FC4A58F58E8BECA840CAE16,SHA256=270824AB7DE5A31677A6C5D5DCC31B4C3196682F7CA27D6C3A630D8535E347F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.743{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECA9-61FC-4502-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.740{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.737{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.737{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.737{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.737{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.737{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA9-61FC-4502-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.736{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECA9-61FC-4502-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.736{7942A313-ECA9-61FC-4502-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000127439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.713{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE305B290251BDD9190E3C6AF487A2C,SHA256=31CDD0D81308E2B2E40E0DA91844D0B28CBB1787931863E6E3BDAEEA4641AEA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.524{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB0486B51396948936B1BF4DC844807F,SHA256=24AB308EF92B43EC76A703A061334C0329F83204CD6FAA9727D066B29E2D34BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.408{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECA9-61FC-4402-000000002D02}6520C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECA9-61FC-4402-000000002D02}6520C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-ECA9-61FC-4302-000000002D02}68886516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECA9-61FC-4402-000000002D02}6520C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2040024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14b665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a78d5(wow64) 10341000x8000000000000000127432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.393{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.403{7942A313-ECA9-61FC-4402-000000002D02}6520C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000127429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.355{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.355{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.355{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000127426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.653{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49384-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local47001- 354300x8000000000000000127425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.652{7942A313-ECA1-61FC-3A02-000000002D02}7100C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49384-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local47001- 354300x8000000000000000127424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:47.561{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000127423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.274{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.274{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:49.224{7942A313-ECA9-61FC-4302-000000002D02}6888\PSHost.132884392090467336.6888.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.193{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vjvauruz.ndv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.193{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lggvtbgf.kzt.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.155{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_lggvtbgf.kzt.ps12022-02-04 09:06:49.155 23542300x8000000000000000127417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.139{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D21FBA1528E33B2DAB19DBD26D715B37,SHA256=1E29C451BBA82682F8DAA78CD4EE03209850E978B3E88D24D034BD2EF2063DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.131{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.131{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DCB861929C6D6CBEACCF7F0FE759198B,SHA256=F7655A6E84376BD5480180DB2EC990E0438E8A82AC5B5BAF169991AB13642D51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.108{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.071{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=623E18813D7CE2D3E64162B96F000A73,SHA256=55611110E70BD858FA50B678D5D892A50B0FE1D4C8D9CD71CBB995A8ADBCD400,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.071{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.039{7942A313-ECA8-61FC-4202-000000002D02}66686940C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157376e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1558366(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15578d8(wow64) 154100x8000000000000000127404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.046{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECA8-61FC-4202-000000002D02}6668C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 23542300x8000000000000000127403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.008{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8006A1FC3E1CAEA467F6BC1DF1BFAC80,SHA256=2349D6839FCCC681D4D781C75562857FA3E7023E56D7A71D58A5CBFCC5D2E83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.878{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.cmdlineMD5=5C53E1DE745C1A9F88ABB252031783EC,SHA256=C6E4D9032790D42092496A295116829E663CDC491B30D3698D2D5558983940AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.878{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.dllMD5=AC8C24D7FECD372EC7135392F212C587,SHA256=583A9288E1589263E08D68C689860A132B660DAEDA35FC5DEE6CC731C4F5C288,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000127492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.863{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.pdbMD5=9801F09649B27081A7D4CB49CCF43FEF,SHA256=BD24BC6B0867D9C873963471895A5B9C9E65D0B5C01880EC42362D5CBAE4CEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.863{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.outMD5=9391E636B21F056AAA11FF4F6F9C6BB2,SHA256=8AB55329433E3CAD718EDC91C2179FAC51690B9D8B7015C139C1DCF9102FF8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.863{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.860{7942A313-ECAA-61FC-4702-000000002D02}64006380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.857{7942A313-ECAA-61FC-4602-000000002D02}6408ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC1349CA60204C4B64A25B35ABCAE82B3.TMPMD5=98BD6856E26D53081FF10FDBDC1A2233,SHA256=54685DC25E00B63D05E6302E2C5DCC1A1C6D01EBEEC44D05575C7E18BDDF4C04,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:50.841{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.dll2022-02-04 09:06:50.493 23542300x8000000000000000127486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.841{7942A313-ECAA-61FC-4602-000000002D02}6408ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.841{7942A313-ECAA-61FC-4602-000000002D02}6408ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3B2B.tmpMD5=A14129E3FD30D66CD8AD8C652F5175F1,SHA256=09EB2C6322C4DA28B5B9533FB987C23E3D485229A1D77860503A327CFE7CAA24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.825{7942A313-ECAA-61FC-4802-000000002D02}3164ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3B2B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAA-61FC-4802-000000002D02}3164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAA-61FC-4802-000000002D02}3164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-ECAA-61FC-4602-000000002D02}64086416C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECAA-61FC-4802-000000002D02}3164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.813{7942A313-ECAA-61FC-4802-000000002D02}3164C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES3B2B.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC1349CA60204C4B64A25B35ABCAE82B3.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4uy2lidr.cmdline" 23542300x8000000000000000127475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.810{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=891A60A122097F46D0FE4C0350C2126B,SHA256=32FE04AA7FE42DC5F50D016BDE9E3F2799ED691B29303A8A062B3C465825EF47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.555{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECAA-61FC-4702-000000002D02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.553{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.553{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.552{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.552{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.549{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.547{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.547{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECAA-61FC-4702-000000002D02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.547{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.547{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECAA-61FC-4702-000000002D02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.546{7942A313-ECAA-61FC-4702-000000002D02}6400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000127463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.546{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.546{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.546{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.545{7942A313-ECA9-61FC-4302-000000002D02}68886516C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9915C04F) 154100x8000000000000000127459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.499{7942A313-ECAA-61FC-4602-000000002D02}6408C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\4uy2lidr.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000127458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.494{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.cmdline2022-02-04 09:06:50.494 11241100x8000000000000000127457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:50.493{7942A313-ECA9-61FC-4302-000000002D02}6888C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\4uy2lidr.dll2022-02-04 09:06:50.493 23542300x8000000000000000127456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.227{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1772E6549F73BCD3E0C59E64E43217AB,SHA256=605A75D73845BFC10E32381AC8FAC45FE0FA9E440CEACDA0D32AF3E07E532DF1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.162{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49385-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:49.162{7942A313-E06B-61FC-2300-000000002D02}2744C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49385-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000127453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:48.334{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50448-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 10341000x8000000000000000127452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.060{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.060{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:50.050{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:51.965{7942A313-ECAB-61FC-4B02-000000002D02}6756\PSHost.132884392117618535.6756.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.925{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ksim1olr.f2u.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.906{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kp3dqwtx.hsk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.906{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96DC163F9528172EB962E455B4B3293,SHA256=919E4623482E3AC903EDC81CAB0926CA9A470206D2E7AFAB03A9BC076C436651,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.881{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECAB-61FC-4C02-000000002D02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.879{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.879{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.879{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.879{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD68CBBE0DFB01D12C309AB3693DBE0,SHA256=C36BEA588F486728CAFF8E88546EE02867B12B826FE6DA48B6EF76EDB4CF4A10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.878{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000127550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.878{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kp3dqwtx.hsk.ps12022-02-04 09:06:51.877 10341000x8000000000000000127549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.876{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAB-61FC-4C02-000000002D02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.876{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECAB-61FC-4C02-000000002D02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.875{7942A313-ECAB-61FC-4C02-000000002D02}6408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000127546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.856{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.835{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.814{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.767{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.765{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.765{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.764{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.763{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.762{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.762{7942A313-ECAB-61FC-4A02-000000002D02}68686992C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2130031(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b348a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b30c5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e207b3f3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1570037(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15d3aa9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b5ab8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b5ab8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b5949(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15a6669(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b3bab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b3778(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b348a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15b30c5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e207b3f3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1598370(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15978e2(wow64) 154100x8000000000000000127536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.761{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.698{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.698{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:51.643{7942A313-ECAB-61FC-4A02-000000002D02}6868\PSHost.132884392114756671.6868.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.596{7942A313-ECAB-61FC-4A02-000000002D02}6868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nu1ieoxq.div.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.596{7942A313-ECAB-61FC-4A02-000000002D02}6868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qwjxni0m.zqh.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.565{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qwjxni0m.zqh.ps12022-02-04 09:06:51.565 10341000x8000000000000000127529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.560{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.545{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.527{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1B07BBC39E969979EE7BB1AB4C274A9,SHA256=251DECCF965BAAF2CD094432D00D2657CA27F905A7ED46743CCA1A2AFC531585,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.512{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.481{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.481{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.481{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-ECAB-61FC-4902-000000002D02}66046556C:\Windows\system32\cmd.exe{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.475{7942A313-ECAB-61FC-4A02-000000002D02}6868C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECAB-61FC-4902-000000002D02}6604C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.465{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAB-61FC-4902-000000002D02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.463{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECAB-61FC-4902-000000002D02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.463{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.463{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.462{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.462{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.462{7942A313-ECA8-61FC-3F02-000000002D02}64766532C:\Windows\system32\WinrsHost.exe{7942A313-ECAB-61FC-4902-000000002D02}6604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000127507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.462{7942A313-ECAB-61FC-4902-000000002D02}6604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECA8-61FC-3F02-000000002D02}6476C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000127506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.458{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.443{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.443{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.411{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.411{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.411{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.411{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E53E123C852392F2538F06D45620653C,SHA256=C26F97130E714E40290EA152D4807C9BD4C0B789CC0BA0BBA32D5513FB7C81BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.396{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3E419B661976DD9A1D483A0D05FE392D,SHA256=0F582D403DA326231EE5C815EFBCA24862339335FEE1E763808EE3CCE451DD1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.380{7942A313-ECA8-61FC-4202-000000002D02}6668ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.343{7942A313-ECA9-61FC-4302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.096{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B1B83BAAD1FA9AB2AB279E5B2EF156DE,SHA256=8FD6A5AE341B594F13006AFF861CCB672F4FFFFE6E0CB2F9713DBDF1340AC89C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:51.064{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56E6AF05D4560F042993C8CB1C635ED1,SHA256=270E7B951C0AC1CF006E3B59CD9EE8546FCCE315E96B66CA35ED6F39F5C2755D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.906{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.904{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.904{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.903{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.903{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.903{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.903{7942A313-ECAB-61FC-4B02-000000002D02}67566960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9915C04F) 154100x8000000000000000127611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.903{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\arua4uxj.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000127610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.901{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.cmdline2022-02-04 09:06:52.901 11241100x8000000000000000127609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:52.900{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.dll2022-02-04 09:06:52.900 10341000x8000000000000000127608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.856{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.856{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.852{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.840{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124EDD549D49E767C2D6BACC9608A3A6,SHA256=EAD6B78E8E2E4D368627CAA2678071858648E0428C9C8B0606F573EC62F9999B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.810{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.809{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.809{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.808{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.807{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.807{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.806{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.805{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.804{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.770{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCD52B8D662ECE474CE164446D11909,SHA256=EDB2AFB26A3F96A0A41753BFF6C2708FDD354049B1FAE9AE763373BA974451BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.764{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=66954EE3C4015B5A02EC87F70D1859B7,SHA256=0538FC0225C21EE8ADCA3F85A327F6AAE6C829295570A4244FD30EDA8FDCEB35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.442{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.314{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=616C67979E6DC704F29B724E49BE0D9E,SHA256=01C9AFE065D6C3A9C56057CB1A483122108181BD9BCCBF501F21409320238164,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.191{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAC-61FC-4D02-000000002D02}6760C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.179{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.179{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.178{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.178{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAC-61FC-4D02-000000002D02}6760C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.177{7942A313-ECAB-61FC-4B02-000000002D02}67566960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAC-61FC-4D02-000000002D02}6760C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2040024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14b665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a78d5(wow64) 154100x8000000000000000127566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.177{7942A313-ECAC-61FC-4D02-000000002D02}6760C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000127565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.174{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.174{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.171{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.003{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:52.003{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECAB-61FC-4B02-000000002D02}6756C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.982{7942A313-E05A-61FC-1400-000000002D02}9642100C:\Windows\system32\svchost.exe{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000127667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.967{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.934{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.897{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAD-61FC-5202-000000002D02}6492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.881{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.883{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000127657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.865{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DAE1BB6A4AC77E8E5733699A17049B98,SHA256=521F335B993D91A6FB46B074968C023323F89C27F2BBA46EF9C0E11AAD62CB98,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.865{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.865{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECAD-61FC-5002-000000002D02}6696C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.850{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAD-61FC-5002-000000002D02}6696C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.850{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECAD-61FC-5002-000000002D02}6696C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.834{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.834{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.834{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.834{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.680{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.680{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.680{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.665{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.665{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.665{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.634{7942A313-ECAB-61FC-4A02-000000002D02}6868ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.580{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EF29B99D78A1C8E6B9EE039A73FF2119,SHA256=58086D0500F2B93A60C0998BD0B82AEF67DE201638D2466960239D3F1961384B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.564{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.332{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7421B1290F4F886E02BF7DE5C3AE6C1E,SHA256=D93F89AF0172F72BB36FDB54BDE169846E95369B77613169C150DE21432EB3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.332{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC01E85817D89CEB4A3519F43E8B9EBA,SHA256=5D2274AC4B90C8319D86BA3F3AC9B815C55A68589AD7A3A40BD712B1FFE3DE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.105{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.dllMD5=36242817D82C26E219DB6C19B65311D4,SHA256=26D2B5A4EB8BA7302372D1BDAE4A9C55276EE04CAEF7E7799B103A53F5103C1F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000127636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.104{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.pdbMD5=CF97041A3DD078EAD039D8D9BC3DDBA8,SHA256=08209ED845878CB2C9AD6D4835E5E81D7905F52C1EDA7A935FEAA6F806105FF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.102{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.outMD5=88B5B38082E4070288A3B6F1B39ED378,SHA256=70EAADE0283D1A9C3D8D0BABCDCB3241F2409A2433BA85E2B5C523464B785A9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.097{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.0.csMD5=054C0A1487614BA970CB949FA443FFFB,SHA256=6B88C7F565FF6B5879B03F6F3622B596B63D0C76E3EC5751390A446AF187E21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.096{7942A313-ECAB-61FC-4B02-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.cmdlineMD5=922EDBEC6D89DE163A02275B077D0A13,SHA256=1E47150B690EFEB820FD07BDECB0333C578FB0A8A13775EECAC275EC6B2F4536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.080{7942A313-ECAC-61FC-4E02-000000002D02}6516ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC53F2D4A096834B50A732F2DDE1532BD.TMPMD5=A1B4055FAE74C95ADEBF1EB5F5AB2E34,SHA256=A500071ECF2F676BE6BC5B4D713D8A6660C0C583C1B183929D296F68AE9CD8BA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:53.070{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.dll2022-02-04 09:06:52.900 23542300x8000000000000000127630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.070{7942A313-ECAC-61FC-4E02-000000002D02}6516ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\arua4uxj.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.060{7942A313-ECAC-61FC-4E02-000000002D02}6516ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES43C6.tmpMD5=5E0968CE3575023BD9433B4E9EA285F0,SHA256=66E5E1E5413A04D22268A4D0F4DD0594816B05302A0B3BDBE957954A3D0EDE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.042{7942A313-ECAD-61FC-4F02-000000002D02}7056ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES43C6.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.041{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361F179DB7D1D00F55D678FF9F6293C6,SHA256=3B2B308029DF95B7C2ACAD7596320D28535C0C3A589E79AF4AB0BAFE1E2B0F4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.028{7942A313-ECA8-61FC-4002-000000002D02}70966548C:\Windows\system32\conhost.exe{7942A313-ECAD-61FC-4F02-000000002D02}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.024{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.024{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.023{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAD-61FC-4F02-000000002D02}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.023{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.023{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.019{7942A313-ECAC-61FC-4E02-000000002D02}65166692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECAD-61FC-4F02-000000002D02}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.019{7942A313-ECAD-61FC-4F02-000000002D02}7056C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES43C6.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC53F2D4A096834B50A732F2DDE1532BD.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECA8-61FC-FF4B-1E0000000000}0x1e4bff0HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECAC-61FC-4E02-000000002D02}6516C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\arua4uxj.cmdline" 10341000x8000000000000000127731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAE-61FC-5602-000000002D02}6960C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAE-61FC-5602-000000002D02}6960C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.815{7942A313-ECAE-61FC-5502-000000002D02}64126436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAE-61FC-5602-000000002D02}6960C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e237006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17b0071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1813ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17e66a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f3be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f37b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d83aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d791c(wow64) 154100x8000000000000000127724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.823{7942A313-ECAE-61FC-5602-000000002D02}6960C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000127723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.784{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.768{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.768{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.670{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.670{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:54.604{7942A313-ECAE-61FC-5502-000000002D02}6412\PSHost.132884392143580226.6412.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.578{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_edog2pjp.0da.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.565{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hheekzet.0lp.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.506{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hheekzet.0lp.ps12022-02-04 09:06:54.506 23542300x8000000000000000127714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.497{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\respondent-20220204081438-050MD5=E4EA031637ACBB6F47BD231C2E2E1E96,SHA256=5C6E1C437BF72BDE074F4E51EF9D1792A62DAB991F745007C61C3F065E9CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.446{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.430{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.401{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=17092C1035CAF996A0F1169D5039A374,SHA256=6DD9D630BF466A8B94A3F3497560B8295F0771FFC14A04AC4AF13AF822EA6D1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.353{7942A313-ECAE-61FC-5402-000000002D02}65286360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e237006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17b0071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1813ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17e66a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f3be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f37b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d83aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d791c(wow64) 154100x8000000000000000127702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.358{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.267{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.267{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:54.220{7942A313-ECAE-61FC-5402-000000002D02}6528\PSHost.132884392140403878.6528.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.182{7942A313-ECAE-61FC-5402-000000002D02}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ecixdsi0.t30.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.182{7942A313-ECAE-61FC-5402-000000002D02}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cceuivf3.phb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.151{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cceuivf3.phb.ps12022-02-04 09:06:54.151 10341000x8000000000000000127695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.120{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.097{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.097{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98C2C5EB224B60799D71D78610BBDAC7,SHA256=7FF9AC7674990C264FA18EC4DEE57A5ACCA48734542926D6C478CC8E69FED31F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.081{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.050{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-ECAE-61FC-5302-000000002D02}68766608C:\Windows\system32\cmd.exe{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.040{7942A313-ECAE-61FC-5402-000000002D02}6528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECAE-61FC-5302-000000002D02}6876C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 23542300x8000000000000000127680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.034{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59254C31E92CA00FB0327E9F811CDCEA,SHA256=7CB61EB6667630D72180FECD383E71A04F9677BD918561D95BE78C0CF58B32F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAE-61FC-5302-000000002D02}6876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAE-61FC-5302-000000002D02}6876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-ECAD-61FC-5102-000000002D02}60527124C:\Windows\system32\WinrsHost.exe{7942A313-ECAE-61FC-5302-000000002D02}6876C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 10341000x8000000000000000127673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.019{7942A313-ECAE-61FC-5302-000000002D02}6876C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECAD-61FC-5102-000000002D02}6052C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000127671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.000{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.000{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.000{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.980{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.outMD5=A9D37835773B6DFE9E777E1C8730C09C,SHA256=BC6983BFBF08784FAD4890936E403EF4B6B0D8F1AE900871D03059A5F8A3B252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.963{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.cmdlineMD5=8873D17D9309C4414A35B0295777ADEA,SHA256=D00EB2C30FF9131492BC6FF721C5F38D707345C3D91EF4235089E585F646BC0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.963{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.963{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.pdbMD5=A9051D4D463B9D30582D4B130A879BF1,SHA256=735A0B15922641934F53DCBEAEDF0A086CDF3E6D4548E9D488363647A6C1A346,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.963{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.dllMD5=7A633CEC2FD5C6DEA8DF20BDFFDA3351,SHA256=A225B9D944E4316328EA30072B1B1ED9B32622DFE3EAF92C5DF0926969CF55F2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000127767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.947{7942A313-ECAF-61FC-5702-000000002D02}6944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC3E75DEA3FEF8411F9872F59EAA53F435.TMPMD5=037293404232A8CA5FE59D37356B56EF,SHA256=7EBA89D6BCE1B11A9EFF68CC11BF1F6551D47642550C524A5EA9613436CE5B54,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:55.947{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.dll2022-02-04 09:06:55.762 23542300x8000000000000000127765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.947{7942A313-ECAF-61FC-5702-000000002D02}6944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.947{7942A313-ECAF-61FC-5702-000000002D02}6944ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES4F30.tmpMD5=F43D4A5646A4040AE71D7C5E6CDADFB2,SHA256=37764B23462D9C8F3F975E6FDB3E23E7EDA3072C9557A4B19A1CFB9F66A1184E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.947{7942A313-ECAF-61FC-5802-000000002D02}6772ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES4F30.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAF-61FC-5802-000000002D02}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAF-61FC-5802-000000002D02}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.931{7942A313-ECAF-61FC-5702-000000002D02}69446684C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECAF-61FC-5802-000000002D02}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.936{7942A313-ECAF-61FC-5802-000000002D02}6772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES4F30.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC3E75DEA3FEF8411F9872F59EAA53F435.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\vex1e25u.cmdline" 10341000x8000000000000000127754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.784{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.769{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.769{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.768{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.768{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.768{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.768{7942A313-ECAE-61FC-5502-000000002D02}64126436C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9913C76F) 154100x8000000000000000127747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.767{7942A313-ECAF-61FC-5702-000000002D02}6944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\vex1e25u.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000127746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.763{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.cmdline2022-02-04 09:06:55.763 11241100x8000000000000000127745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:55.762{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vex1e25u.dll2022-02-04 09:06:55.762 23542300x8000000000000000127744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.738{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=544C70B7EDFAF6E1F5207D01C393E2FB,SHA256=79643AD8F11F5870F252F0D678D8799EB56F2D97B09C27FD8BD65A2AD83A15F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.547{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.546{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.539{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.497{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\surveyor-20220204081435-051MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:54.146{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50449-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 354300x8000000000000000127738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:53.449{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000127737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.117{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.117{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5C411BEC56840CD2F8CE07930234FD,SHA256=181527D0E3701926580FB732B9D602C97441311E335EB5C6A630FF5B07E5D60E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.016{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=754ACB2A8FD39A54719CC4B81F6144BE,SHA256=02BBE58ACCF402B0458E1EBF500856B74427AD3C4D1D1873F181D8184552C039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.016{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2DCDA4474F4853482C8DFE6C9EA670,SHA256=0E0A0AF9D8D968D06CAF9F6061E9E9103E91EAE1F5B647B28DCC158D74044354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.016{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19561A23ADDA3FBA2A94F5354A7FF4E,SHA256=3FE611903CC680617EE95A62B558BA4EC3258B7FB483A0A3499ED288693FFAD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:55.016{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D21FBA1528E33B2DAB19DBD26D715B37,SHA256=1E29C451BBA82682F8DAA78CD4EE03209850E978B3E88D24D034BD2EF2063DDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.655{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.655{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:06:56.586{7942A313-ECB0-61FC-5902-000000002D02}6604\PSHost.132884392164278326.6604.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.564{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98B99102EA51EE1272E45FAB2284BB12,SHA256=DF33756FB59A4BE387759FA997DA8E1DE4A481C03670B5571E4599FD0BC87BA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.564{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_sfg1kaon.0db.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.564{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3irsrcu4.q1b.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.533{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=35AB1F73BA9D826A9A5B1DF57C4BE194,SHA256=D69E450531CE988C4072825A3C647D1691E882886EDD40F8822F8514883277CD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.533{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_3irsrcu4.q1b.ps12022-02-04 09:06:56.533 10341000x8000000000000000127786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.518{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.502{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.465{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.434{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-ECAE-61FC-5502-000000002D02}64127028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98ECBE10) 10341000x8000000000000000127777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.421{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.427{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECAE-61FC-5502-000000002D02}6412C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000127775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.386{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F465C55E89A9AD5BD34719D6D0FFF7FF,SHA256=9B3443D35BFDF4117D4B31FB26E283A4C0069349A330F7D05D53B719D8B13ECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.335{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABA6E61E2CF0FFF54AE42EA2455CB02,SHA256=284E1B29C4F195782BF978DBAF89F989772C1E4E14AA2096188BF04EC61C07A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:56.335{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C8EADB37D8C645C72B6A9B2426EDB097,SHA256=9651D6C3E7CAE20729785527B2885332248092EB1C43B03463BCAEFFF7066A70,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.730{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E057-61FC-0A00-000000002D02}624C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.662{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.599{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D81E72DBBB0A662BE31350510A0FABC7,SHA256=39474CA4D50E7047D7A0AF3C80B4388384673C9B1BC932119FAE03944318533A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:57.431{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC0DF2DF2A28B1E7F82BD734AEDD84C,SHA256=BF0ACF1656888F5627DB64E3AAF3802D531007CB56C2CC44BE9AC864F5EBEEED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.780{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=754ACB2A8FD39A54719CC4B81F6144BE,SHA256=02BBE58ACCF402B0458E1EBF500856B74427AD3C4D1D1873F181D8184552C039,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.749{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C5956624A7DC734BBB0EAF2C6BE98C30,SHA256=B85F983B3A9998CEC68FE9DC570F922FFBFE31B03EF93FDBEBB9BF83E46BD6A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.666{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FB64BD86089A7CECB6C73AC04B1157,SHA256=AF74424F0DB10DFDB4CA8A13CB287A03C5053362F0C30023173911345B8188B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.233{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.dllMD5=9E4B22954E2795B2055AE3B3EBC50438,SHA256=BE3CC73252AE75176DBC6BC05261890084663F59466CF26DA102144BBEF3F28C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000127831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.233{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.outMD5=FBCF7195CBB2781D104D6162532878E0,SHA256=4D34A107BAA4969D37B77031574356D0CEEA73F9D2132E855584E70342BF33D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.218{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.0.csMD5=A29444398AC9A819C5D208948B81A14C,SHA256=F447865E0C75B6C39BECAB9B9527FCC583DEF24C18A66CC815A9419F375DDC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.218{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.cmdlineMD5=64517F2857F4BA78A3B3A9352E654EB9,SHA256=36A7F38F1CFB769A55B5F725269D5F9A38D9BB522D41E6FE2156A02CA0179C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.218{7942A313-ECB2-61FC-5A02-000000002D02}6512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\CSCDA7AAF68C1E4A6FAEDE148EA0EB04D.TMPMD5=40D6E00AE4054F430649C04D772C1A71,SHA256=EFF09A5537E8ACA999A2CC5B0EA330E0F4E1FE5EFC0F7EB7B3EB21B357212371,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:58.202{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.dll2022-02-04 09:06:58.018 23542300x8000000000000000127826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.202{7942A313-ECB2-61FC-5A02-000000002D02}6512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.202{7942A313-ECB2-61FC-5A02-000000002D02}6512ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES57EA.tmpMD5=7FB6416D1550C0B755850B0E0BF0B07F,SHA256=38DB2DD5E582E2DF216F79CFA500E0C42AF9A2C71E7652C5134E86118FBF121A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.202{7942A313-ECB2-61FC-5B02-000000002D02}6700ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES57EA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECB2-61FC-5B02-000000002D02}6700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB2-61FC-5B02-000000002D02}6700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.164{7942A313-ECB2-61FC-5A02-000000002D02}65126680C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECB2-61FC-5B02-000000002D02}6700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.172{7942A313-ECB2-61FC-5B02-000000002D02}6700C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES57EA.tmp" "c:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\CSCDA7AAF68C1E4A6FAEDE148EA0EB04D.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.cmdline" 23542300x8000000000000000127815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.149{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\stwz3md5.mybMD5=BD5BC210DA3DC6700837F7F1EF332861,SHA256=ADB9F280E68F8C8EF04510D25A7A31C547EEC0E828ABBCC0F9C7C0DF81A4D88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.133{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\h2u3fxao.ys2MD5=59146FA8BBC0DEFDEA515CDE5D5CCB59,SHA256=6CC5CA22678B2300286AC6451FD66A3245F0153013430D899448DFC2A1E51291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.133{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\vpzujr0o.uf0MD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.104{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\z0kvni5m.tcaMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-ECAD-61FC-5202-000000002D02}64927080C:\Windows\system32\conhost.exe{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-ECB0-61FC-5902-000000002D02}66046328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+d5475850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+d5475850(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e94bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64) 154100x8000000000000000127804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.022{7942A313-ECB2-61FC-5A02-000000002D02}6512C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECAD-61FC-80F3-1E0000000000}0x1ef3800HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA== 11241100x8000000000000000127803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.018{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.cmdline2022-02-04 09:06:58.018 11241100x8000000000000000127802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:06:58.018{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xmv2l1yw\xmv2l1yw.dll2022-02-04 09:06:58.018 23542300x8000000000000000127801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.002{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C9D520AA1B6D63D117D2FC13618A47C9,SHA256=153E56BFF109C28656E5A8EC4F583D1CB6AD4D2DBDEAD9E17EF266C20F61F44B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB3-61FC-5E02-000000002D02}6560C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.978{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.979{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000127862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.962{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.962{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECB3-61FC-5C02-000000002D02}7072C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.946{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB3-61FC-5C02-000000002D02}7072C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.946{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECB3-61FC-5C02-000000002D02}7072C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.946{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.931{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.931{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.931{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.762{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B65AA2FE36E74F6E584EEBA4C01BE90,SHA256=B4AD22E1EA52B463073631EF9954835F721B849892CB766DB573C0A91BE00D9F,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000127853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.061{7942A313-ECB0-61FC-5902-000000002D02}6604onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000127852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.711{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.711{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.693{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.678{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E71CC11F36F5DAC73D858202F8356A,SHA256=45A832BF65DC2EF273166ABA2D480D92921B8218B5C666DA6CD9F15A18AF1A75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.451{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.451{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.442{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000127845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.446{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49388-false152.199.19.161-443https 354300x8000000000000000127844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.443{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-65535-false127.0.0.1-53domain 354300x8000000000000000127843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.291{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 354300x8000000000000000127842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.291{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9830:f3aa:8b8c:ffff-65535-true7f00:1:0:0:0:0:0:0-53domain 354300x8000000000000000127841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.233{7942A313-ECB0-61FC-5902-000000002D02}6604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49387-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 354300x8000000000000000127840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.206{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local56757- 23542300x8000000000000000127839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.406{7942A313-ECAE-61FC-5402-000000002D02}6528ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.299{7942A313-ECAE-61FC-5502-000000002D02}6412ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=4524BADFB41CFD9DD6DCF4E3BFDC9C9F,SHA256=0226B9FCE0698757643F364DC1061B0F01237CFB0193014B02D734A32D083328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.019{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2559A4078CBA319ED408A1B8BD725C71,SHA256=A9C3C7EAD9FE0EA9E3D5C503AEE1DFB07A8ED9B639BAFD2D729E375E3C331296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.003{7942A313-ECB0-61FC-5902-000000002D02}6604ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.992{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=DC3D4658F38B9F9745D27A837B1C69C9,SHA256=3987295ACFFB022C6D833337023E997BED39A47F3F187DB8AD2D7F23B7D02301,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.975{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.717{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D393D8F0D886515D06A53B84C749CF38,SHA256=F941BE808A9453AB8BF43CDA2F4DBEB5379142E5C726661B58788B1D08106BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.717{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.717{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.717{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.632{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB4-61FC-6202-000000002D02}6824C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECB4-61FC-6202-000000002D02}6824C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.617{7942A313-ECB4-61FC-6102-000000002D02}65846980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB4-61FC-6202-000000002D02}6824C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2040024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14b665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c3b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14a78d5(wow64) 154100x8000000000000000127929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.627{7942A313-ECB4-61FC-6202-000000002D02}6824C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000127928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.532{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.532{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:00.495{7942A313-ECB4-61FC-6102-000000002D02}6584\PSHost.132884392203457181.6584.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.466{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B64C21FCAC75C6EA092C972DDC75937,SHA256=EEE2BCE2A2C834988F63E2C98B0C80F29A7A5AB61EEC6E792F2467EEABC0FB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.466{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B6A78065FEFBAC286511F7DC02AF3BE,SHA256=9A82788EB33BA48143EEA07C413D5461D3B3A5A713E6AC8BCFD8DC2D0122D4D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000127923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.615{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-57907- 354300x8000000000000000127922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.576{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local57907- 354300x8000000000000000127921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.576{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local55877- 354300x8000000000000000127920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:58.601{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000127919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.448{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_22obv2d4.vjr.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.448{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fef33i5i.x13.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.417{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fef33i5i.x13.ps12022-02-04 09:07:00.417 10341000x8000000000000000127916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.395{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.395{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.379{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997EFB0FD849070D3C4E20AF015B3FAC,SHA256=966C55AF7463ECF8754A1251042E7B22598B634161B5983C231BFE1764C1E124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.363{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.348{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.332{7942A313-ECB4-61FC-6002-000000002D02}65407060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e237006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17b0071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1813ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17e66a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f3be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f37b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d83aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d791c(wow64) 154100x8000000000000000127905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.345{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.263{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.263{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:00.232{7942A313-ECB4-61FC-6002-000000002D02}6540\PSHost.132884392200765041.6540.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000127901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.194{7942A313-ECB4-61FC-6002-000000002D02}6540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_g1lbzn0q.tj0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.194{7942A313-ECB4-61FC-6002-000000002D02}6540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fqcnaoad.bhi.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.179{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fqcnaoad.bhi.ps12022-02-04 09:07:00.179 10341000x8000000000000000127898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.163{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.163{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.133{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.078{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.078{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.078{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.078{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.078{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-ECB4-61FC-5F02-000000002D02}67086684C:\Windows\system32\cmd.exe{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.076{7942A313-ECB4-61FC-6002-000000002D02}6540C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECB4-61FC-5F02-000000002D02}6708C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000127885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.062{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB4-61FC-5F02-000000002D02}6708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB4-61FC-5F02-000000002D02}6708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-ECB3-61FC-5D02-000000002D02}64046960C:\Windows\system32\WinrsHost.exe{7942A313-ECB4-61FC-5F02-000000002D02}6708C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000127877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.057{7942A313-ECB4-61FC-5F02-000000002D02}6708C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000127876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.047{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.031{7942A313-E05A-61FC-1400-000000002D02}9642100C:\Windows\system32\svchost.exe{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000127872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.015{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:06:59.993{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB3-61FC-5D02-000000002D02}6404C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.701{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.701{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.outMD5=BF121774C6D7E6F142DA605AD9668406,SHA256=28B49277F9C1151FBA21F5A78CA04F636B998885AEF5B21841BB7CBC384B3042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.701{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.dllMD5=5E68558E07A16BCFE1BBFBB82B30D830,SHA256=AE83F24BBEEC35F713628CD0652ED778A4716050D7D808EACB682F4602868E53,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000127972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.701{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.cmdlineMD5=B413A0F2F5751EFC35021FF9ECFA4DE6,SHA256=9D4E0806F36439E69E29D1DEC4B3E12FC7532C2C84EF6029F4721AF376006B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.686{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.pdbMD5=4AADA11B7A108F05A9B07F9A58D9A739,SHA256=72CA3A276934ED1665B8C58851E72ACD0C25AD5E6B9D7C8358E48E214989A04E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.669{7942A313-ECB5-61FC-6302-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC67BE8D6E269F43078ED0C4243E89E9C.TMPMD5=BFB73754536BFEC09781229E4A601AF4,SHA256=B231BB1292009E6644A76B12B433238C9D0A396D1967BA8BC7E99377B483F28B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:01.669{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.dll2022-02-04 09:07:01.447 23542300x8000000000000000127968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.669{7942A313-ECB5-61FC-6302-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.669{7942A313-ECB5-61FC-6302-000000002D02}6756ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES6586.tmpMD5=410AE6B4549807AFA0E348B4CBA1B93D,SHA256=CFB24F5131AC4073D6F7BB3255CD13411F83AE6A7B28A9949D3EAB884044932E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.669{7942A313-ECB5-61FC-6402-000000002D02}6320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES6586.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB5-61FC-6402-000000002D02}6320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECB5-61FC-6402-000000002D02}6320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-ECB5-61FC-6302-000000002D02}67566604C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECB5-61FC-6402-000000002D02}6320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000127958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.648{7942A313-ECB5-61FC-6402-000000002D02}6320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES6586.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC67BE8D6E269F43078ED0C4243E89E9C.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\who5btnh.cmdline" 23542300x8000000000000000127957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.632{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9CDFE623B1A19DEE384196A4145FA6F,SHA256=D0000490C2C1FE024EB6CE196105B91D9D284A598361682447FE33C9C68B5D5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.455{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.452{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.452{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.450{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.450{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.450{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.449{7942A313-ECB4-61FC-6102-000000002D02}65846980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9913A6AF) 154100x8000000000000000127949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.449{7942A313-ECB5-61FC-6302-000000002D02}6756C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\who5btnh.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000127948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.447{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.cmdline2022-02-04 09:07:01.447 11241100x8000000000000000127947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:01.447{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\who5btnh.dll2022-02-04 09:07:01.447 10341000x8000000000000000127946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.345{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.344{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.338{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:01.055{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9746905BADF950CB6837315EED6CE34B,SHA256=4B7CE15880884ADAC137569201E99E06BB4ACCEB860B1E47721D41A0890DCE5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.659{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61443835B7601A684B4B8008C9F87756,SHA256=0C38C30E3AEECBAF5EB17C72C6EAEFCD216FD8DBDA794FBCD62A5F3B13BB4F55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.336{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.336{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000127994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:02.282{7942A313-ECB6-61FC-6502-000000002D02}6880\PSHost.132884392220729392.6880.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000127993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:00.239{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50452-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 23542300x8000000000000000127992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.220{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dtmc1wsw.qe5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.220{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_z3xvrxdi.0d1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.205{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FCE28256D5442DD01FFFE650C5B768AC,SHA256=2208189BA115D2EF143379E5B2155446E9462075C0E7BAECAF5D6697D60F2503,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000127989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.188{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_z3xvrxdi.0d1.ps12022-02-04 09:07:02.188 10341000x8000000000000000127988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.150{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.150{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A09D88F9CDA406D40238866B143C04A,SHA256=C144CA7043369B884F6DE4668AB915AA86F4B6A8AD135153A5B09EFC63996871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.150{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E7D3625CBB10237B731AB21E10997B,SHA256=6D619C73C1D870E3BCF6A1A295C1CEE62A61D0F98211407EFBB37AAD49B46167,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000127985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.135{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.125{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000127978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000127977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-ECB4-61FC-6102-000000002D02}65846360C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98ECBE30) 154100x8000000000000000127976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:02.072{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECB4-61FC-6102-000000002D02}6584C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000128032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.865{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.dllMD5=C73A2D7598ED80F325AC755C648AF10D,SHA256=9DCC3A14EECE40595F8FB576B507B94BE068327925DD29F70C7DAF019FA63E29,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.865{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.outMD5=84E0D30A44D2E2A30DF25FAFB7533A07,SHA256=340947E91DA3415819DDF98E320F72D7E979EDFDB5EFB14B5AF2EE6F79AA3DD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.865{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.cmdlineMD5=0A9AF50EAE3BF9CE075B41DE1EF9AB87,SHA256=8C92027F118AF0EEB756981881BE9D2D219FA9069DA0D8036131F833C474388A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.865{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.0.csMD5=A29444398AC9A819C5D208948B81A14C,SHA256=F447865E0C75B6C39BECAB9B9527FCC583DEF24C18A66CC815A9419F375DDC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.850{7942A313-ECB7-61FC-6602-000000002D02}7144ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\CSC17F4AC13C1EB4D319520827BA8A8FA2A.TMPMD5=D9DD49F553A370AEAC01DC0D12E3E089,SHA256=F7F2F9651CBD40B66CCA8C4AF9C1EED447F8FA6AAC09527E32CBEE383C1E50AE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:03.850{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.dll2022-02-04 09:07:03.703 23542300x8000000000000000128026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.850{7942A313-ECB7-61FC-6602-000000002D02}7144ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.850{7942A313-ECB7-61FC-6602-000000002D02}7144ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES6E02.tmpMD5=9EBC118E851A7686AC886206C1F4BCC3,SHA256=6A1BAD4C1148A41B8CD685804FE3E87EE0915139625085B185DF1E07EB85416A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.834{7942A313-ECB7-61FC-6702-000000002D02}5452ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES6E02.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.834{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB7-61FC-6702-000000002D02}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB7-61FC-6702-000000002D02}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.819{7942A313-ECB7-61FC-6602-000000002D02}71446632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECB7-61FC-6702-000000002D02}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.830{7942A313-ECB7-61FC-6702-000000002D02}5452C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES6E02.tmp" "c:\Users\Administrator\AppData\Local\Temp\klbyfkqt\CSC17F4AC13C1EB4D319520827BA8A8FA2A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.cmdline" 10341000x8000000000000000128015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-ECB3-61FC-5E02-000000002D02}65606416C:\Windows\system32\conhost.exe{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-ECB6-61FC-6502-000000002D02}68807160C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15994be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aae(wow64) 154100x8000000000000000128008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.719{7942A313-ECB7-61FC-6602-000000002D02}7144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECB3-61FC-2179-1F0000000000}0x1f79210HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUA 11241100x8000000000000000128007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.703{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.cmdline2022-02-04 09:07:03.703 11241100x8000000000000000128006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:03.703{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\klbyfkqt\klbyfkqt.dll2022-02-04 09:07:03.703 23542300x8000000000000000128005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.687{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9F741A19A3AA1EC8A85333178BAE324A,SHA256=B7CF700DDF453943977E9CCF059B41A8BBEF83A2AF1A57547E5393A5C3CAF690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.587{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ytuczaaw.a13MD5=BD5BC210DA3DC6700837F7F1EF332861,SHA256=ADB9F280E68F8C8EF04510D25A7A31C547EEC0E828ABBCC0F9C7C0DF81A4D88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.586{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\0m0a0i43.v5lMD5=59146FA8BBC0DEFDEA515CDE5D5CCB59,SHA256=6CC5CA22678B2300286AC6451FD66A3245F0153013430D899448DFC2A1E51291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.565{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\n35yuw1h.15gMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.487{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\jcq5lm52.dxbMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.231{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000127999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.131{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F670D4F96C81E717FBBB3DBAEA510ED6,SHA256=777C4A8BA6289185D54C11D5D7CC09C3AF745B1D685769CD5CDD98C1BD5A2140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000127998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.084{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A772FA0CC2658DDAF2FAEE99BA73D917,SHA256=E2A636CEC1F17765751C6FD072D8325F215B2DF3BE079FE81A7011B95FF43608,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:04.735{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9DF1DDF6B41EEAC57013E88DC90AF713,SHA256=F74FA0DF0CC3710255F634CA00899E3B3454A5201443324B19A9B04E62C595A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:04.174{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5232444783D829202C9AED57D35AC907,SHA256=490E8F96485E3C043F1544B4F9F551A3066A07D302D181EE355E48E97AECD6B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:04.172{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F12C02B054339D06C2F303853D8E743,SHA256=3A4B18B51BE8F5F8FDDB55E1C1E0AF5E97FAE5C8378390D57269E26CBA7F5EFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.957{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\jcva0iin.nvtMD5=628DA2D060916BBA4E8623EB3E53CDC8,SHA256=DE2EBFE08D13AB88EFC596DCC2AA39982EBC61366A6A222789FADF8F902EFC4A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 11241100x8000000000000000128067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:05.820{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll2022-02-04 09:07:05.820 23542300x8000000000000000128066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.773{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ag0ibpb1.dktMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.688{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\3so4xo4k.2caMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.648{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECB9-61FC-6802-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.646{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.645{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.645{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECB9-61FC-6802-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.644{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.643{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECB9-61FC-6802-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.644{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.359{7942A313-ECB9-61FC-6802-000000002D02}6648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000128056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.527{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\jamh3bqh.3rtMD5=14AD3E020B9E8121460254AEC3AAEA2F,SHA256=24A76615A9B93AFF49269A1EDFBBCD45FD41A60326433524BB614DEE1183CF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.458{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\merzxrbs.wroMD5=0B389CA2DA08BF7B217828D2A4A828DE,SHA256=60D0B41C1EF939DB71B70D07E65DFB09B0379B2939420A63FAEA07C810D33015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.426{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\104rxdmf.s3gMD5=58DF22AFF6DA746F449C60D566891608,SHA256=263210FC8DC380AF590E8056B97D16F8C3543F282D09FE08E34A141E60B1A02E,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000128053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.438{7942A313-ECB6-61FC-6502-000000002D02}6880onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x8000000000000000128052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:04.449{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000128051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.831{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49391-false152.199.19.161-443https 354300x8000000000000000128050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:03.788{7942A313-ECB6-61FC-6502-000000002D02}6880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49390-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000128049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.374{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ncfkilem.rxoMD5=A3479274A236C3BB0348E595DBCC76CD,SHA256=4FC03FD60CABACEF9E895F40A0C20034BA073B82223953FAC14FB2FA9BF2D8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.357{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\hyk1qumo.o5wMD5=7C09F02F76DC730B02660289129643B9,SHA256=D1EF8BB7C9247B45A4775BF9670E2401D99F80F9EED7F5B5F5DB20E555AC1FBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.342{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\1ycdli5z.xsoMD5=E03035327737E82CADD030EC3B31ED37,SHA256=EE3EB68CC16297C84B7A23E37013333AED3FA9FE4EF05334591B35B0B46D23C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.326{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\yahm2p3j.w5pMD5=FBEFEF4E10D20E77768ECE3AD46D76E4,SHA256=4ED1F804524EF106CEBDAF0EE438F8E8030BC6712204CF222F76D40AFCDEBD17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.304{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\dks4yb3v.2h0MD5=9782AA4C5536B3CC56ABA1AAE44C153C,SHA256=A6BE65D6BDFEABB8BFB59FAD868FAAEA9A324139A9DAF913C4CB99683C3FE2CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.272{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\apc0bprh.rvvMD5=C6F13ED42AE5C0EF4EF3A5AEA74AEDFA,SHA256=705C76FD7AF58E9D58722FCBD2A2B961AC6EF6D6F36B731EE47D6D92EB9BDE66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.257{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ek45antv.2vaMD5=6C567765F0CA1DEFAB41E64FC9BA38AD,SHA256=0F5E93DA37D4709EB6B0C08E6515F2F8413CADBE55FC7C0EA3B67AF406B936E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.241{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\kgwzigpy.ylfMD5=80675050C8B3C7ECB6479E24B2F4D3D2,SHA256=B6B905283595B90EAF630051788456F36E85D48A27372F87AB620DD99CAFA2F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.204{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\m50uuk4j.uxrMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.189{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B52C49F3B09FD2026A343C82B9A9548,SHA256=460F94190520BD16DA7B6DA96FFEFC6EE1F62A70598F422B8763D6323D5E95C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.189{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\zeiznazx.k3vMD5=C9407671041EAF874E42FEEA83E9E055,SHA256=5623F3990AC72788F17C5D57127B8E99F31369D39030A38E203367E2B6041ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.142{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=25D34A4FA4AC530E71F6C7986B2F8CD0,SHA256=96C2C75213BC3DFE832AD507140313D4113F5D4A2CA0E9E456DA5554B3F1B68A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.142{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\qfjejv4z.qhjMD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:05.104{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\pf3kai3f.qk2MD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-ECBA-61FC-6D02-000000002D02}64126808C:\Windows\system32\cmd.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.993{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECBA-61FC-6D02-000000002D02}6412C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000128118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.987{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBA-61FC-6D02-000000002D02}6412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.984{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.984{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.983{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6D02-000000002D02}6412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.983{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.983{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.983{7942A313-ECBA-61FC-6B02-000000002D02}69406892C:\Windows\system32\WinrsHost.exe{7942A313-ECBA-61FC-6D02-000000002D02}6412C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000128111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.982{7942A313-ECBA-61FC-6D02-000000002D02}6412C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000128110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.968{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.968{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.968{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.951{7942A313-E05A-61FC-1400-000000002D02}9641412C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000128106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.938{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.920{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.920{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6C02-000000002D02}7064C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.912{7942A313-ECBA-61FC-6B02-000000002D02}6940C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000128096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.905{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.889{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6A02-000000002D02}7132C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.885{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6A02-000000002D02}7132C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.885{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6A02-000000002D02}7132C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.867{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.867{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.867{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.867{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.779{7942A313-ECBA-61FC-6902-000000002D02}69446580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.703{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.703{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.701{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.686{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.686{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.683{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.641{7942A313-ECB4-61FC-6002-000000002D02}6540ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.546{7942A313-ECB4-61FC-6102-000000002D02}6584ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=8D21E03212C99B99848095F7588A263F,SHA256=081B068BC2247BA3FA8869B778EDFF6793BBC71C86DFC51401F08F4B6EC31301,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.515{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=675DADA5A2285062F9B4242EE5554963,SHA256=9E025605DF33079FAF896C386356BFEE499773A20A5590A62E8E6F5AA0207C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECBA-61FC-6902-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECBA-61FC-6902-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.330{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECBA-61FC-6902-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.331{7942A313-ECBA-61FC-6902-000000002D02}6944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000128070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.299{7942A313-ECB6-61FC-6502-000000002D02}6880ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.163{7942A313-ECB9-61FC-6802-000000002D02}66487064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.940{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6F11C19E38AA95D846D9918152BCF0D,SHA256=EDBF59432A10ABBA92E71FBDBBF421C115640F9B3628BF7CAD874C8FDE7948FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.940{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5972CCFB3ADDD7B6BDAE57E1BA3C70C7,SHA256=0105F656397C9025A61B32E90C664BCDCA88A1B4BD3F25E35DDC4BF2788F3903,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.674{7942A313-ECBB-61FC-6F02-000000002D02}69367056C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.639{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.639{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.631{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.631{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBB-61FC-7102-000000002D02}6880C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.629{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.629{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.628{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.628{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.628{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBB-61FC-7102-000000002D02}6880C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.627{7942A313-ECBB-61FC-7002-000000002D02}67806528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECBB-61FC-7102-000000002D02}6880C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e237006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17b0071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1813ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17e66a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f3be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f37b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d83aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d791c(wow64) 154100x8000000000000000128169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.627{7942A313-ECBB-61FC-7102-000000002D02}6880C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000128168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.556{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.556{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:07.520{7942A313-ECBB-61FC-7002-000000002D02}6780\PSHost.132884392273371648.6780.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.493{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_x3gsovns.gdt.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.490{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_povwpvhb.aeo.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.463{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_povwpvhb.aeo.ps12022-02-04 09:07:07.463 10341000x8000000000000000128162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.431{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.421{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.392{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.342{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.328{7942A313-ECBA-61FC-6E02-000000002D02}68206432C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e237006b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17b0071(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1813ae3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5af2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f5983(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17e66a3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f3be5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f37b2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f34c4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17f30ff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e22bb42d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d83aa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e17d791c(wow64) 154100x8000000000000000128152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.337{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 23542300x8000000000000000128151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.311{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7019B1315ACCE528E8065D089B499A05,SHA256=122627027758DB0D53C615FCB293F2475309B5929E5785491C6975EB0CCDE2BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.242{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.242{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.226{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC65E52C732B3CB8FB3825BB0008F1C4,SHA256=FCE7AFAC4A64AC788F3021C3CD0ACCD6C9A182B6C10A2CCC18B65999EEC5D5BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.168{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=08EA61C8B2C0B80CB23DAD450323A908,SHA256=237CDE2D079A27398011B473153E52CF2DAE719E4DD9DDC7D37FD950BAC5E79C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECBB-61FC-6F02-000000002D02}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.168{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2EE17D498FA3F5107323E7DB887FBC,SHA256=897510D520BBE86D73B19B21C8D2A65CE30277C2CC173ECD89D286438139FED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=433A83A18BC34F79809375930361BB76,SHA256=0FF9C6C86074E84AB3549CE24163F62B53B8C56A636C919286F67DE8B3B4F700,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000128143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:07.152{7942A313-ECBA-61FC-6E02-000000002D02}6820\PSHost.132884392269938137.6820.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000128142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBB-61FC-6F02-000000002D02}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.152{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECBB-61FC-6F02-000000002D02}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.023{7942A313-ECBB-61FC-6F02-000000002D02}6936C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000128135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.108{7942A313-ECBA-61FC-6E02-000000002D02}6820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_zc5150mt.2cq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.089{7942A313-ECBA-61FC-6E02-000000002D02}6820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_t25je0i4.2ke.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.067{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_t25je0i4.2ke.ps12022-02-04 09:07:07.067 10341000x8000000000000000128132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.053{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.036{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.020{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:06.989{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBA-61FC-6E02-000000002D02}6820C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.965{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.965{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.965{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.965{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.949{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.949{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.949{7942A313-ECBB-61FC-7002-000000002D02}67806824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98ECBE30) 154100x8000000000000000128230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.964{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAiACAALQBCAHIAYQBuAGMAaAAgACIAbQBhAHMAdABlAHIAIgA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000128229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.881{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=625AE93B96FA1FAF1C35B9511F00490D,SHA256=EC2DA4E93B369A69B9402AD5823A87C09DF35BEB3757547F970D1196BF6A1FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.826{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C6CBFB7FF5152E3394BBB161505B5780,SHA256=0B52215AE46ED02C2FC209A6637EEBB79D4AD2DAA53895A9D15C709B9BC4B3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.810{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1597798FAD3B39E62190B0F9DB9277E8,SHA256=342EF5BA3DAC6C52762BF79E5E43CAD7D16AB06A8684D246298BD6194B1BFDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.679{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.outMD5=7B932E14AE5E1B2EDE97009F0729A7B0,SHA256=D07984EE03051EA20739DE81FC080B6E071AF35DE31537166175ED1FFA799E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.679{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.pdbMD5=45F309259AE713A93D7D01811824DE53,SHA256=D55D4064A1A75C84D3528A5F246087632B0A29F3F190E1B6BD72290F2FB6CB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.679{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.cmdlineMD5=D884B929E0CBDACFC0912D1D48A7D944,SHA256=C9358F7C58D8770BEAF288898FBAA5F441D2DF0CB3B6EEA01041ADC5808C055A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.679{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.dllMD5=D569ED114DBF1984F4750060AEBA6D55,SHA256=A09CEA97AD0BD822DEE4983555727F7CBDBEFE8826A5805A13A883C4D285259B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.679{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.664{7942A313-ECBC-61FC-7302-000000002D02}6812ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC86A25AB51B444F0F88A38DCDEECE19F8.TMPMD5=E44AC77E2FC46F342F9C1628FEA1373C,SHA256=E456CC8FF023ED80077AC906CCDCEFC5616F535C8DD0057FCAAF0FBD38959D49,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:08.664{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.dll2022-02-04 09:07:08.524 23542300x8000000000000000128219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.664{7942A313-ECBC-61FC-7302-000000002D02}6812ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.664{7942A313-ECBC-61FC-7302-000000002D02}6812ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES80DE.tmpMD5=980F2A3490FBD761869F304EB481EEA6,SHA256=0EA14B99AB87611E707CBE87B4C8F0BCC7AED7F1344498D32DFD789185A890D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.648{7942A313-ECBC-61FC-7402-000000002D02}6708ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES80DE.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.648{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBC-61FC-7402-000000002D02}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.647{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.646{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.646{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.646{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.646{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBC-61FC-7402-000000002D02}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.645{7942A313-ECBC-61FC-7302-000000002D02}68126488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECBC-61FC-7402-000000002D02}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.645{7942A313-ECBC-61FC-7402-000000002D02}6708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES80DE.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC86A25AB51B444F0F88A38DCDEECE19F8.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xjsqiqpg.cmdline" 10341000x8000000000000000128208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.530{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.528{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.528{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.528{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.527{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.527{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.527{7942A313-ECBB-61FC-7002-000000002D02}67806528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9913BB0F) 154100x8000000000000000128201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.527{7942A313-ECBC-61FC-7302-000000002D02}6812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\xjsqiqpg.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000128200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.525{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.cmdline2022-02-04 09:07:08.525 11241100x8000000000000000128199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:08.524{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\xjsqiqpg.dll2022-02-04 09:07:08.524 23542300x8000000000000000128198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.336{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C2F5B1EF8CF7654C39A7AFD7EF90E5,SHA256=92D916C2FDEF1F3412109FC6856A7C289118D15E9A2B1AB869EE038B33139D65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.296{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.296{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.292{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.081{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F7FE491DB08116CB858EDC2B103D3A1,SHA256=E7EF376F835F77ECE352E89D5475B4246D8C570D495B9C9D7A2255FBACC35784,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.049{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA078C9FEA20DC132D39A5708DE3187C,SHA256=BF42B0C8CF126765C1D9E51E1257C05402999105C8EB6E06C5CDB620181F81A5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.018{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBB-61FC-7002-000000002D02}6780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.006{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECBB-61FC-7202-000000002D02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.003{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26206C008A01AB7B2EA094E1A1494C05,SHA256=746F728E2302DBA06BDF9AB40857ABA4CBD3B4A316959FC25EA288627BB96D58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.999{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.999{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.999{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.999{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.998{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBB-61FC-7202-000000002D02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.998{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECBB-61FC-7202-000000002D02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.825{7942A313-ECBB-61FC-7202-000000002D02}6680C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000128252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.970{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C054788EF030396E8EAD4BCC12AAE5F5,SHA256=C1A1CB42B740F5E535B5D786E886FAD4D381EBEDA6EE0DCEF2532B960055F9BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:07.175{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50454-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 10341000x8000000000000000128250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.381{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.350{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6457AECD08345EEF11ED05630BB1C62F,SHA256=93E08240D384659A6FF2DC7D4A6916FDD73ECB161E70D68B0738E4A46230EF15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.213{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29CF17C2B9F3C3F29B6473DF753563B,SHA256=D39BFA5DE52F600D2635BBDA51EF4F93D1D1C0B12A7D9EF7908FA5A54910DFFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.128{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.128{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:09.097{7942A313-ECBC-61FC-7502-000000002D02}6904\PSHost.132884392289643774.6904.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.081{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F78E5E64EA5AF84D172B969F6B4780CD,SHA256=B3C52D150776F2656A10ABD3D3E9FFBA8F8C152779E2F960621915F691D6F41E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.066{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dchdswlg.xml.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.050{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nnfprnkn.yz5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.043{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_nnfprnkn.yz5.ps12022-02-04 09:07:09.043 10341000x8000000000000000128240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.012{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.012{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:08.996{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.874{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\master.zipMD5=A7B8A419AA46A87E61C18E2163157A8A,SHA256=B90E3140D353A9F8889A41353AFAC404E9C7FDCBBF0F7534DD156130CAC14D76,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.839{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicsfolder.ps12022-02-04 09:07:10.839 11241100x8000000000000000128274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.839{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicredteam.ps12022-02-04 09:07:10.839 11241100x8000000000000000128273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.823{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Start-AtomicGUI.ps12022-02-04 09:07:10.823 11241100x8000000000000000128272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.823{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\New-Atomic.ps12022-02-04 09:07:10.823 11241100x8000000000000000128271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.823{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-WebRequestVerifyHash.ps12022-02-04 09:07:10.823 11241100x8000000000000000128270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.823{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps12022-02-04 09:07:10.823 11241100x8000000000000000128269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.823{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Get-AtomicTechnique.ps12022-02-04 09:07:10.823 11241100x8000000000000000128268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-PrereqResults.ps12022-02-04 09:07:10.807 11241100x8000000000000000128267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-KeyValue.ps12022-02-04 09:07:10.807 11241100x8000000000000000128266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-ExecutionLog.ps12022-02-04 09:07:10.807 11241100x8000000000000000128265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Show-Details.ps12022-02-04 09:07:10.807 11241100x8000000000000000128264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Replace-InputArgs.ps12022-02-04 09:07:10.807 11241100x8000000000000000128263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.807{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-Process.ps12022-02-04 09:07:10.807 11241100x8000000000000000128262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.792{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-KillProcessTree.ps12022-02-04 09:07:10.792 11241100x8000000000000000128261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.792{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-ExecuteCommand.ps12022-02-04 09:07:10.792 11241100x8000000000000000128260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.792{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-CheckPrereqs.ps12022-02-04 09:07:10.792 11241100x8000000000000000128259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.792{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-TargetInfo.ps12022-02-04 09:07:10.792 11241100x8000000000000000128258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.792{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-PrereqExecutor.ps12022-02-04 09:07:10.776 11241100x8000000000000000128257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.776{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\AtomicClassSchema.ps12022-02-04 09:07:10.776 11241100x8000000000000000128256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.776{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\LICENSE.txt2022-02-04 09:07:10.776 354300x8000000000000000128255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.549{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000128254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.365{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9165AA0D8289F3DA8BBFB2BF48C0D0D5,SHA256=F0220F815DFE4A935764E711F6CF4BBE33BA91A3C43DE0804E1A55F501075973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.108{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=392CF0B50B80EDF6849715F1C6703184,SHA256=CAB8207190572771D529E541EBC58C04C1BE5E8536D383A0C1ED9484F26D9933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.591{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15589D4DDC47F1C3BDB5559786C1D110,SHA256=8B619485158F928505F6A138902AE83E5DAE5A0C6745D824A2B054B6E366989C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.576{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDC91DF65B1314D08319CDDEE951EFF,SHA256=6BF37D2359C9252FCE4524AC2BF5CB20DC5A3ECACB2F99339179867A30FCD2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.576{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2FE1647CE9A52D0E21FBC7FB72312C43,SHA256=1F34C72ED340BCDAFF281239F3A52409F736225BBA2181C926CC836BA9B0A935,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.520{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local51612- 354300x8000000000000000128310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.502{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49395-false140.82.121.4lb-140-82-121-4-fra.github.com443https 354300x8000000000000000128309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.499{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local61660- 354300x8000000000000000128308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.768{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49394-false185.199.109.133cdn-185-199-109-133.github.com443https 354300x8000000000000000128307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.761{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local59370- 23542300x8000000000000000128306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.544{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.cmdlineMD5=FA8AE2A82902EECC7246F6473EA4A198,SHA256=30116EA8E9AAB111401CD7FAF3101094AD5F89344A57BD0B3E678FC56D4ED8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.544{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.0.csMD5=A29444398AC9A819C5D208948B81A14C,SHA256=F447865E0C75B6C39BECAB9B9527FCC583DEF24C18A66CC815A9419F375DDC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.544{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.dllMD5=26499D4BBAEAF6D74D77EF7E3FA51817,SHA256=A2889AF682450606FB846CD465613D0CDA49DA3A1F5FAC1D1E0D1593911F864F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.544{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.outMD5=D3140DA4BDEE595FFFF57619AFF3EE5A,SHA256=5CAFBC68A65FDB28014E379E6312468F9159F1949BB007B628CDF857D498D824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.523{7942A313-ECBF-61FC-7602-000000002D02}6952ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\CSCA3D11ADF588C431BAD764CFF8AD9DAC2.TMPMD5=B946BFA3DDD121DEBFFA7C1046CC9335,SHA256=DE0BC318695DC98CB3FC6443428E8C334F3D4520335DC4D3F2ECA966891ED4A7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:11.523{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.dll2022-02-04 09:07:11.341 23542300x8000000000000000128300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.523{7942A313-ECBF-61FC-7602-000000002D02}6952ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.523{7942A313-ECBF-61FC-7602-000000002D02}6952ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8BFA.tmpMD5=55B45667B6998D74445E8029A9F9A59D,SHA256=079DB34EDC9F59DD951B07DA9FF9B175888A6B4AA0794AD7EA90C8778DA7BF03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.507{7942A313-ECBF-61FC-7702-000000002D02}6948ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES8BFA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBF-61FC-7702-000000002D02}6948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECBF-61FC-7702-000000002D02}6948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.491{7942A313-ECBF-61FC-7602-000000002D02}69526584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECBF-61FC-7702-000000002D02}6948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.497{7942A313-ECBF-61FC-7702-000000002D02}6948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES8BFA.tmp" "c:\Users\Administrator\AppData\Local\Temp\02zt4fm1\CSCA3D11ADF588C431BAD764CFF8AD9DAC2.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.cmdline" 22542200x8000000000000000128289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.141{7942A313-ECBC-61FC-7502-000000002D02}6904codeload.github.com0::ffff:140.82.121.9;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000128288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.119{7942A313-ECBC-61FC-7502-000000002D02}6904github.com0::ffff:140.82.121.4;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x8000000000000000128287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:09.382{7942A313-ECBC-61FC-7502-000000002D02}6904raw.githubusercontent.com0::ffff:185.199.109.133;::ffff:185.199.110.133;::ffff:185.199.111.133;::ffff:185.199.108.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x8000000000000000128286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-ECBC-61FC-7502-000000002D02}69046772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+e7039f80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+e7039f80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e94bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64) 154100x8000000000000000128279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.344{7942A313-ECBF-61FC-7602-000000002D02}6952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAiACAALQBCAHIAYQBuAGMAaAAgACIAbQBhAHMAdABlAHIAIgA= 11241100x8000000000000000128278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:11.341{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.cmdline2022-02-04 09:07:11.341 11241100x8000000000000000128277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:11.341{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\02zt4fm1\02zt4fm1.dll2022-02-04 09:07:11.341 23542300x8000000000000000128323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.741{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DAFD00C5BB9B490AFB93CD6EEFDF184D,SHA256=CA0C755CD1DA4F92E585B18A7F221452896555F908D49FD915FB20D525E4366E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.737{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABF0A61FD338D67F320C4CBEF504B6CA,SHA256=63DBA077EADDE2C43E29E6B1DA6D346778EF10F09488C46CECD68032CF49C81F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.719{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B085E163CB8FD484E22DA7721B6E928B,SHA256=B4BDCA37DB2DE32B2A3D0D81A35B8C003C075A61F6CAF020E5487D51C7F9F3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:10.525{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49396-false140.82.121.9lb-140-82-121-9-fra.github.com443https 23542300x8000000000000000128319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.604{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\if3fzfme.gkpMD5=BD5BC210DA3DC6700837F7F1EF332861,SHA256=ADB9F280E68F8C8EF04510D25A7A31C547EEC0E828ABBCC0F9C7C0DF81A4D88A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.591{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\l0tbinj5.vuuMD5=59146FA8BBC0DEFDEA515CDE5D5CCB59,SHA256=6CC5CA22678B2300286AC6451FD66A3245F0153013430D899448DFC2A1E51291,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.575{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\ktlsnfks.os5MD5=26C50195ABBFDE6611A4CAEE3585960B,SHA256=B2915EDDDBD8029336C3933115B8D8E9471FB63039177901606C5D101770E059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.555{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\Microsoft.PackageManagement\t4g1uu3i.e2nMD5=D35B8C04DA801DE749B12D5DA8A0B9A0,SHA256=9CB8C56FA40380069256C24AB816BFD0E08201E16B654BD76D0EC0608DC1CCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.380{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F3431FBADC9903FCF373DC989C747C,SHA256=67BD9713C9194F5214758DC3E888F3DA266A3EEF642949CA8B611CFC1A5B25AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:13.603{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=66385581041BF0A95AA52572786FFE82,SHA256=A1A529896A48129298BC4924C6D6859B80D44B80CAB3CFD29E6526C9193CDFAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:13.556{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB2721E0E7210FC4ECFA3E4C5F8A9617,SHA256=7E1E82EE3E88362F6C7A29931628A08D4D64A8F9B77E6C5AE71A65527FA11132,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:14.980{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FC8FD3990CA85991DE7417B9A71EB37E,SHA256=86171072F6390A541C67F17828045ABD81F315320E593640DD5356D99E50F1A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:14.573{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37EBC5B746749CD3A32AF3B90FAFD7AD,SHA256=BF581286EDEC1A73A82DB66721F0DEB757C264E9FEA935888F2EAEA7550AA031,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.840{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53511- 354300x8000000000000000128327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.735{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local55439- 22542200x8000000000000000128326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.478{7942A313-ECBC-61FC-7502-000000002D02}6904onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.643{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB4710C8A600C3BB6D8DB44594E8DE55,SHA256=D36A48DD8078AC9E3CD0AC55B5B51DE847EBFD12C21336A573234CC7CF9262E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.643{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E1118B33BD3B59462D1543C3DCD675AD,SHA256=084D2390AE90721FD0F2508C3252E1C2D299D17947239B01328F6C81EB5A18B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.643{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=03913DCD10B87B6C090143447D337DD0,SHA256=605B704348C8864AEF9C19830B177069FB03BF75E97EC0C3DDA41264E4952B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.581{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD83D2BBB9EC3DCE058BE70E978B7F7D,SHA256=AF62A4858E7F87DE60D187DB9B2EB0A2EAE8042AC765E8B642E2F084D9834849,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.862{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49398-false152.199.19.161-443https 354300x8000000000000000128331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:12.844{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49397-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000128340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:16.927{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=853F121F6227A6AF2203D87F34C0A5A9,SHA256=E01DAA88637A909B3960A949D8DD398CA377A4159EDEF34535C53D36CB8A16D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:16.596{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286B94283DB776EACF6F335C6A299789,SHA256=5D6E4C8DD0A60CBF012F96C089107429B36F74FA6EAB6249DA0259E9528B529B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.314{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local61227- 354300x8000000000000000128337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.299{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49399-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 23542300x8000000000000000128345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:17.627{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36CD488EE9A9D835E2D02A0964E2F5B4,SHA256=9E3A2804DB6F92F5E49DF7F52F19C4642455C71C4A2265BB82F0EAA58AFBF632,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:16.279{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49402-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 354300x8000000000000000128343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.456{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49400-false168.61.186.235-443https 354300x8000000000000000128342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:15.379{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 22542200x8000000000000000128341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:14.953{7942A313-ECBC-61FC-7502-000000002D02}6904www.powershellgallery.com0type: 5 powershellgallerytrafficmanager.trafficmanager.net;type: 5 psg-prod-centralus.cloudapp.net;::ffff:168.61.186.235;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:18.747{7942A313-E05A-61FC-1000-000000002D02}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=AAA552C8B93DAD544476AFF5B37B00E1,SHA256=11CEA1F0DA6A353C5583819E5FCBAA74BAB19827D112A04353848B0D4C20A7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:18.631{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C211EA56C1E1CC35C7B3B9A3F4E8E3,SHA256=85F531BF4B0DECD8624F0A30AAA2F8F19EE84270B72FFD6243591019277470BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:16.407{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49403-false168.61.186.235-443https 23542300x8000000000000000128352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:19.666{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB92F359F26AC986FC9DF69061AA033A,SHA256=202E3FE44AA06DDD24F2638AF743B9FEA8A33447A09C4663FBDF2F77097D3435,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:17.831{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60151- 354300x8000000000000000128350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:17.794{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local60151- 23542300x8000000000000000128349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:19.031{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=A56D1FEF18A3D85A2176CF52CD1A05D2,SHA256=D4BE36DACD34F45CE709F996D78312236ACABD08DF148808005A54E0FE2D86D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:20.683{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F459893C6D56E7FC45D661DA5850520,SHA256=859F28C53F19C4AFC9B03B3AE128AA1CCCAA3FAF830DCED615D224E61F1DADD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:21.698{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF8C4060737F1E86BC744A340DAF272C,SHA256=4944C68747F7638DCCA5E7DE46B7C1A2A7EB20742C85F74D2365FAE7538AEE67,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:20.513{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000128356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:22.713{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E352C72877968A7D78BCFEC4BC89C6F0,SHA256=062F8AB67C1521105461CE2F9CA27F1FDF49AFE63F7DFD687D171420A8AC3BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:23.713{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04CD61DB8BF6DABC176F1C525EF5F126,SHA256=B98302E0DC1C41FFFDF9CC310E9C99B7D3C0781B8380BDA40A9312C9229E736C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:24.715{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=302C5D8B1979682C54CE3CFFCBCB09C0,SHA256=C3BE393D9FC1E8F953734C4B6BE55EAE50B5F7D5F91CB2366FB21780E1F5FC16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:24.045{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5=234A73A2DF4907AE119346EC7562766F,SHA256=1D9F47C2A1D4F92460717964D0E61FF2D774D7A475D3AE0F6705FE51F0B21920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:25.715{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1122C51FB1BFB60B5C7FD25CED865C02,SHA256=67EAF547EC2096D115200FA5BDCB3534386DAD92323C3B702F7DC0D45FE15CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:26.730{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3114E59174798048821922B31BB57E9F,SHA256=1287CB847A65D728F21F95EA577A604EAE9A4683797FE3A90F6A7C5FE8F6A45C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:27.747{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7FC1C384D612840D2537208FC3631E0,SHA256=6E9867DB105E52170858DFF2323B4D847EF95AD493AB1164AB9A6CF34DED9343,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:26.723{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49406-false104.125.30.92a104-125-30-92.deploy.static.akamaitechnologies.com443https 354300x8000000000000000128363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:26.513{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000128362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:27.485{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=95B7CE8FD7A17775A3BAA04D626C5C5F,SHA256=55A4F050F6F28AFCCA1BCC5C44FD826A097DF0E66B0451A9E9FE95B4DB7D8D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.749{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6D41C4D5A57D48427415E40C10129FD,SHA256=D5C65068F53BE45361E86CBD478A11C91D9E7F0FC2A7E19EFE2FCB644A28457F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:27.903{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49408-false168.61.186.235-443https 354300x8000000000000000128371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:26.858{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49407-false168.61.186.235-443https 23542300x8000000000000000128370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.417{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=96B5B7C993E20F5768848A425C2C233C,SHA256=AB4E111891147C561E3056D3A86C71A9F2FE8CBEADADA10E016447704C18ACA4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.318{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E053-61FC-0100-000000002D02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000128368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.318{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.318{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.318{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:29.750{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CF4F00FD1569EE65CDFE5128A0165B4C,SHA256=E770C6C00086DDB4AA6A621D69F504149D7E55187B1F876AC46ACFBBE65E0878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:29.750{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8026775AC3624A174CD8FD3DB1F7BE4D,SHA256=33F13467778FBF7FBB70DC148DD43D4AA923CD9F3EC6E801C2A406DD2B93F42E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.675{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49409-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 354300x8000000000000000128376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:28.675{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49409-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 23542300x8000000000000000128375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:29.318{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EB5DC7A7A0665D97DA1B82AC407F201,SHA256=E0F1C85D81DC8B86D82674D7D3AA0A78898A4BCB607FEF3AF6AC569C21F598F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:29.318{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C58C276707E5289D3EBFD76A4C705CFB,SHA256=FF94704D57D35C7388318AE5D11BCE2790EE9129BE5A6295AD41786A0C51DB7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:30.976{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=470B3F6BCAC8181093CCE185E0D5CD8D,SHA256=8CC50CE9CD6FC6CA8076C03ADC4C848E98A1250740BDFDBCB8EB683719629833,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:30.923{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2BC94403D4CC031C04F5B04F01653BCB,SHA256=F349381AFF696EC8493D92951FBA27F1F3717A71F23B810453E06A8AABB19656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:30.923{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AC5BE21C505BD4F786E4ECE5ACDF14,SHA256=91249818990EDA94F9EC050415755F65875B54EE8111922D4C9D8C7E10AC84AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:29.845{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49410-false168.61.186.235-443https 23542300x8000000000000000128384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:31.791{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=775F5A23E09DF7FDE7C31364545A1EED,SHA256=A1723087B76027C74B9C161D3B91DE39DE8B5773A6E7DD7E2C56AAB85E7A950A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:31.159{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49411-false168.61.186.235-443https 23542300x8000000000000000128385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:32.806{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588C3CAAD4658EFED2D9F33C63A1214B,SHA256=7C99FA66C2197BCF61C38586EACF81B014B3675C6E2DCD010004F403E44659A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:32.427{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49412-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000128387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:33.807{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=034CD0ED41D22523A0CC206B2B00418D,SHA256=3332FE84F45ABDD1056A54D5783F89DDD9439EC26BE0E441E0797B19C3C82332,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:33.512{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49413-false168.61.186.235-443https 23542300x8000000000000000128424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.246{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\powershell-yaml.nupkgMD5=E6C0341FC9AEB84E1E36BFECABBEAD48,SHA256=47F21C151775C2F0D8A21C86CEDCA3998F0BBCFD309B27977C9024F48DA9787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.227{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\Tests\powershell-yaml.Tests.ps1MD5=83E9E0680C2DCA11951CE71B71C85B06,SHA256=5D615B9C64F422D66D98C8E54DF43CC08EB1603399EC71CF661F6FA08D0A18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.227{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\README.mdMD5=2BE6396AEBA655CD9EDD9AAA5578F149,SHA256=DF954FA2D7BFA9E029FF717A7AADD5A121649B24255B2324C1AFA5D9FF6CA8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.212{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\powershell-yaml.psm1MD5=5F146B18BB809E5D900403AB0066D3E3,SHA256=A7D42EDEA0BD36817C750C5EA6D550274A877094C3CF0C620DFE887F8D41AFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.212{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\powershell-yaml.psd1MD5=9BFC87E3A2D4C1B72B26A975E89A0253,SHA256=D6F3DF338AB1A2701E456EA412A28A5981A53C490E19F1CE37FBA466812088DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.195{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\powershell-yaml.nuspecMD5=AB1BDE82E3EA01840461F8CDECAF9ECE,SHA256=42ACB556A89758ABCD45DDEF1BE634BBA426CA10AA609AE4138B4A864841D24E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.195{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\Load-Assemblies.ps1MD5=5BC56753AE039CB4E6DB7D2B573D8310,SHA256=2163CEA74A5F2D9023C3343CCCC3FAF0996B72850C7A8F2E0735F707B44EE3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.195{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\LICENSEMD5=07FFE4BACD78A3E084BD25BAFB532A71,SHA256=F9B5ED99A83F2546D2696763210BAEEE4A8F476A9BE8E69F8C32D9BD9D9516C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.195{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\netstandard1.3\YamlDotNet.xmlMD5=6FC1D7DCC2B91B4492FC2624927F2C0B,SHA256=E946653D61961FC79F3B970D7996B8F5A5566202148B8A5508B3608D602510E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=46D2F84C8D59A76B6707916EFA713180,SHA256=EDC526C442D98FA9206CCC8C781BC26949BFDB15C856C1042B4C95A74D0B1028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\netstandard1.3\YamlDotNet.dllMD5=C6D295EC641BC776633AB4EDE6EEE871,SHA256=342E5362EE18BBCC1640B31F9F7040A1BDCF53C865E0976F99C4247C0F022B87,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\netstandard1.3\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\netstandard1.3\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net45\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.180{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net45\YamlDotNet.dllMD5=DA2625600648BA915F0B84D077D9674C,SHA256=D6651327108E0FBD0CDC31FED001170044D23F31F5F26708E3EDC6C28B4A8C40,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net45\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net45\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net35\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net35\YamlDotNet.dllMD5=533A81907AB3B514953EEDB33290A9C6,SHA256=17F96E364AF4A0450A7013C047F39D6B0DA9C41B6809EF6677A5E500BB87985A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net35\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.164{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net35\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.148{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb.nupkgMD5=E6C0341FC9AEB84E1E36BFECABBEAD48,SHA256=47F21C151775C2F0D8A21C86CEDCA3998F0BBCFD309B27977C9024F48DA9787C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.140{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\powershell-yaml.nuspecMD5=AB1BDE82E3EA01840461F8CDECAF9ECE,SHA256=42ACB556A89758ABCD45DDEF1BE634BBA426CA10AA609AE4138B4A864841D24E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.124{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\Tests\powershell-yaml.Tests.ps12022-02-04 09:07:34.124 11241100x8000000000000000128400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.124{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\netstandard1.3\YamlDotNet.dll2022-02-04 09:07:34.124 11241100x8000000000000000128399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.124{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net45\YamlDotNet.dll2022-02-04 09:07:34.124 11241100x8000000000000000128398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.109{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net35\YamlDotNet.dll2022-02-04 09:07:34.109 11241100x8000000000000000128397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.092{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\Load-Assemblies.ps12022-02-04 09:07:34.092 23542300x8000000000000000128396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.061{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\package\services\metadata\core-properties\430f5a5dfccc46539418c7fe3ab7fdb5.psmdcpMD5=DC0292F774DABDDCBCDB307084C1332A,SHA256=C0F1A7DA750EACCACB94DAFE3365110F24FD1B860EAC139A9DA5C83B323C94FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.061{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\[Content_Types].xmlMD5=7C8D4574D5E9D74914A8AD0E4404FE3C,SHA256=6193BFA873134B31C4ED28AE5B3B724391D73617CB09B6D74C9CCAF3B380503B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.061{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\_rels\.relsMD5=63100F6CD3B03BD5E29EC81E0445C238,SHA256=807430E09941CFA610F0F771DEE3B34BE19BAC29878727F745D501B7765ACC7E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.045{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net45\YamlDotNet.dll2022-02-04 09:07:34.045 11241100x8000000000000000128392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.024{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\netstandard1.3\YamlDotNet.dll2022-02-04 09:07:34.024 11241100x8000000000000000128391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:34.024{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\lib\net35\YamlDotNet.dll2022-02-04 09:07:34.024 11241100x8000000000000000128390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.008{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\Tests\powershell-yaml.Tests.ps12022-02-04 09:07:34.008 11241100x8000000000000000128389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.008{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\53ujg3nb\Load-Assemblies.ps12022-02-04 09:07:34.008 23542300x8000000000000000128492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.979{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11710FA2E776B96A9C8386FB4AE138E6,SHA256=6C95D50CFA4A960080E4D9AF14EEE916F67B84BE0CA1268EBF95A7CB0D149200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.979{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.979{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECD7-61FC-7B02-000000002D02}7864C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.932{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECD7-61FC-7B02-000000002D02}7864C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.932{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECD7-61FC-7B02-000000002D02}7864C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.911{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.911{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB73AD2EFFC5BECA2264C4A0B2811A8D,SHA256=F25CC675B6A6BEF6AAE15659BBA95332D93B56B96D3731E61AFF665B3D685E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.894{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113E80C68F0CB318E8EA596B4722E1D7,SHA256=F354CF32D204F4A000C9B5AC96C57506D5E5D17291CC49E44DC7589B0F2BCA05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.831{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.outMD5=E68437E35AADD0D5EB4A519B89E0FE63,SHA256=098312A18340DD4CA064E05DA6BF3F00FE128A6DC7DCB9DFF8B1F9CF6C752A19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.830{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.cmdlineMD5=9EF8ED2F37872C128DFF1D0B1BB90B8D,SHA256=60FC0CAB91D4F87BF7B6B0242B2822D77FE87655189DF2A146D56572B42BEE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.826{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.dllMD5=85A1625047068BAEF6DD9B68085958A6,SHA256=8220BEB0C2BF3D9DEDBA66C45E70FACF26AA42DFAAA588D9F176C7EA237FF03B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.809{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.809{7942A313-ECD7-61FC-7802-000000002D02}7776ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\CSCE9DB467447674900AA133A6569372.TMPMD5=4CDBE109383D0913C212B7D6F5B6E51C,SHA256=89B8C27B939CB81BE32BE5E607A1B3642437A81C341D6627D4E6FA789EA0C9DE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:35.793{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.dll2022-02-04 09:07:35.631 23542300x8000000000000000128478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.793{7942A313-ECD7-61FC-7802-000000002D02}7776ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.793{7942A313-ECD7-61FC-7802-000000002D02}7776ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESEAB4.tmpMD5=A53058FB01A511F8D44DC532594ACC79,SHA256=5538117E6646A75EB229830E28F4CA69691CC826F26836F283115F9BCF0C6F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.778{7942A313-ECD7-61FC-7A02-000000002D02}7816ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESEAB4.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.762{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECD7-61FC-7A02-000000002D02}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECD7-61FC-7A02-000000002D02}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.746{7942A313-ECD7-61FC-7802-000000002D02}77767780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECD7-61FC-7A02-000000002D02}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.756{7942A313-ECD7-61FC-7A02-000000002D02}7816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESEAB4.tmp" "c:\Users\Administrator\AppData\Local\Temp\0nz4twhr\CSCE9DB467447674900AA133A6569372.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.cmdline" 10341000x8000000000000000128467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.729{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.729{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.729{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.729{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.725{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.725{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000128461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:34.291{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49414-false152.199.19.161-443https 10341000x8000000000000000128460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.646{7942A313-ECBA-61FC-6C02-000000002D02}70646460C:\Windows\system32\conhost.exe{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-ECBC-61FC-7502-000000002D02}69046772C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+e7039f80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+e7039f80(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e94bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c30b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1f8b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e148002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14e3a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c5aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e14c593c(wow64) 154100x8000000000000000128453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.635{7942A313-ECD7-61FC-7802-000000002D02}7776C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECBA-61FC-5609-200000000000}0x2009560HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAiACAALQBCAHIAYQBuAGMAaAAgACIAbQBhAHMAdABlAHIAIgA= 11241100x8000000000000000128452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.631{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.cmdline2022-02-04 09:07:35.631 11241100x8000000000000000128451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:35.631{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0nz4twhr\0nz4twhr.dll2022-02-04 09:07:35.631 23542300x8000000000000000128450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\README.mdMD5=2BE6396AEBA655CD9EDD9AAA5578F149,SHA256=DF954FA2D7BFA9E029FF717A7AADD5A121649B24255B2324C1AFA5D9FF6CA8FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\powershell-yaml.psm1MD5=5F146B18BB809E5D900403AB0066D3E3,SHA256=A7D42EDEA0BD36817C750C5EA6D550274A877094C3CF0C620DFE887F8D41AFEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\powershell-yaml.psd1MD5=9BFC87E3A2D4C1B72B26A975E89A0253,SHA256=D6F3DF338AB1A2701E456EA412A28A5981A53C490E19F1CE37FBA466812088DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\Load-Assemblies.ps1MD5=5BC56753AE039CB4E6DB7D2B573D8310,SHA256=2163CEA74A5F2D9023C3343CCCC3FAF0996B72850C7A8F2E0735F707B44EE3AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\LICENSEMD5=07FFE4BACD78A3E084BD25BAFB532A71,SHA256=F9B5ED99A83F2546D2696763210BAEEE4A8F476A9BE8E69F8C32D9BD9D9516C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.308{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\Tests\powershell-yaml.Tests.ps1MD5=83E9E0680C2DCA11951CE71B71C85B06,SHA256=5D615B9C64F422D66D98C8E54DF43CC08EB1603399EC71CF661F6FA08D0A18DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.292{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\netstandard1.3\YamlDotNet.xmlMD5=6FC1D7DCC2B91B4492FC2624927F2C0B,SHA256=E946653D61961FC79F3B970D7996B8F5A5566202148B8A5508B3608D602510E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.292{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\netstandard1.3\YamlDotNet.dllMD5=C6D295EC641BC776633AB4EDE6EEE871,SHA256=342E5362EE18BBCC1640B31F9F7040A1BDCF53C865E0976F99C4247C0F022B87,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.292{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\netstandard1.3\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.292{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\netstandard1.3\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.292{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net45\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net45\YamlDotNet.dllMD5=DA2625600648BA915F0B84D077D9674C,SHA256=D6651327108E0FBD0CDC31FED001170044D23F31F5F26708E3EDC6C28B4A8C40,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net45\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net45\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net35\YamlDotNet.xmlMD5=1045C5CAD5567179C0C91E47C43689E5,SHA256=6C9A38C755046212D995C94D912F1CC27E35A44B0B555F813D4E4510387D2111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A28E55D39DF44D79E845716CC6FA8A8,SHA256=B8DCCE27D6C3D8B24300E70EF56755FB7A1185CD6F98A7F050B9C80D6B217560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.277{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF06A26F1B38942137728AC293BD61FB,SHA256=58FD77E74583C147674942CB26A614FC47D215F7364E0EB05D8DA389FFC6C843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.261{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net35\YamlDotNet.dllMD5=533A81907AB3B514953EEDB33290A9C6,SHA256=17F96E364AF4A0450A7013C047F39D6B0DA9C41B6809EF6677A5E500BB87985A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.261{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net35\LICENSE-libyamlMD5=6015F088759B10E0BC2BF64898D4AE17,SHA256=D0D8B09800A45CD982E9568FC7669D9C1A4C330E275A821BBE24D54366D16FE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.261{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1912443960\powershell-yaml\lib\net35\LICENSEMD5=25C40CB4C538F431332DE58473C0427A,SHA256=501450819EE316F35A214E7CEC1C19E14E5126392D356069D7AFEC7E59699536,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.225{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Load-Assemblies.ps12022-02-04 09:07:35.225 11241100x8000000000000000128429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:35.222{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Tests\powershell-yaml.Tests.ps12022-02-04 09:07:35.222 11241100x8000000000000000128428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:35.218{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\netstandard1.3\YamlDotNet.dll2022-02-04 09:07:35.218 11241100x8000000000000000128427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:35.214{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net45\YamlDotNet.dll2022-02-04 09:07:35.213 11241100x8000000000000000128426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:35.209{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net35\YamlDotNet.dll2022-02-04 09:07:35.209 23542300x8000000000000000128502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.979{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EEE435B0A9AD6CA8269FA10313406D,SHA256=5D00360FB22142AD67E7B0443D1CBE5BA92E5BA84185F8A86B447736341353F7,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000128501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:33.908{7942A313-ECBC-61FC-7502-000000002D02}6904psg-prod-eastus.azureedge.net0type: 5 psg-prod-eastus.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:152.199.19.161;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.810{7942A313-E06B-61FC-2C00-000000002D02}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C26B02D61C9CA11B62F56EF590BE2EB,SHA256=776E31D58FF579022BC8020FE9592BEE5F30D4F4E31843A0B71240D3BA40BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.663{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED86821AA221A23987EB8CF5551B7ACA,SHA256=29C92BC85219B2BAA88B15CE47D7128445BA9031C53375E7A8CAF18AFD9996D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.663{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EB5DC7A7A0665D97DA1B82AC407F201,SHA256=E0F1C85D81DC8B86D82674D7D3AA0A78898A4BCB607FEF3AF6AC569C21F598F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.263{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CFD24CF4A6C7D781A3D6790AB9E04ADC,SHA256=721DDCEB1ACB46750BB41DE74C5F2B9F7AE444CA6B25F47DD0034A442FB40FC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.048{7942A313-E5CE-61FC-2B01-000000002D02}1380484C:\Windows\System32\RuntimeBroker.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e 10341000x8000000000000000128495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.048{7942A313-E5CE-61FC-2B01-000000002D02}1380484C:\Windows\System32\RuntimeBroker.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+54193|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+8ab6b|C:\Windows\System32\combase.dll+8c0b2|C:\Windows\System32\combase.dll+39b43|C:\Windows\System32\combase.dll+8c1cd|C:\Windows\System32\combase.dll+37f1c|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd 23542300x8000000000000000128494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.032{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5EB3431A1B7872F459C45BAE4016B1AB,SHA256=33A91BD285AA0992827DE4854827FE3BD109C2DF35C51C90F2E7BB2E3836EA41,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:36.028{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:37.980{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B394ECD16C5F96620BEC1310DFCEC81,SHA256=804E2E00656F16ACD2C9B6BE8DF3BFE773D60D652236AB1171D10B78BEF0A861,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:37.595{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\LICENSE.txt2022-02-04 09:07:37.595 11241100x8000000000000000128551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.995{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.004\src\credstuffuserpass.txt2022-02-04 09:07:38.995 11241100x8000000000000000128550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.980{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.003\src\parse_net_users.bat2022-02-04 09:07:38.980 11241100x8000000000000000128549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.964{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.002\src\sam.txt2022-02-04 09:07:38.964 11241100x8000000000000000128548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.964{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1110.001\src\passwords.txt2022-02-04 09:07:38.964 11241100x8000000000000000128547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.942{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1105\src\T1105.bat2022-02-04 09:07:38.942 11241100x8000000000000000128546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:38.896{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1087.002\src\AdFind.exe2022-02-04 09:07:38.896 23542300x8000000000000000128545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.896{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8E131A93FEFBAC71CC6D4696FFAACA7F,SHA256=10B7024A5A65B189B10504E0095601C262FBC0415636C9D09D08ACB496A7B986,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.880{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1082\src\griffon_recon.vbs2022-02-04 09:07:38.880 11241100x8000000000000000128543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.864{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1074.001\src\Discovery.bat2022-02-04 09:07:38.864 11241100x8000000000000000128542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.864{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1074.001\bin\Folder_to_zip\T1074.txt2022-02-04 09:07:38.864 11241100x8000000000000000128541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.843{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1071.004\src\T1071-dns-domain-length.ps12022-02-04 09:07:38.843 11241100x8000000000000000128540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.843{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1071.004\src\T1071-dns-beacon.ps12022-02-04 09:07:38.843 11241100x8000000000000000128539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.796{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1070.001\src\T1070.001-macrocode.txt2022-02-04 09:07:38.796 354300x8000000000000000128538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:37.146{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 11241100x8000000000000000128537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.780{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\sys_info.vbs2022-02-04 09:07:38.780 11241100x8000000000000000128536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.780{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\T1059_005-macrocode.txt2022-02-04 09:07:38.780 11241100x8000000000000000128535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.780{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.005\src\T1059.005-macrocode.txt2022-02-04 09:07:38.780 11241100x8000000000000000128534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.764{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.001\src\test.ps12022-02-04 09:07:38.764 11241100x8000000000000000128533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.762{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1059.001\src\Invoke-DownloadCradle.ps12022-02-04 09:07:38.762 11241100x8000000000000000128532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.727{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\x64\T1056.004.dll2022-02-04 09:07:38.727 11241100x8000000000000000128531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.727{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\Win32\T1056.004.dll2022-02-04 09:07:38.727 11241100x8000000000000000128530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.712{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\T1056.004\T1056.004.vcxproj2022-02-04 09:07:38.712 11241100x8000000000000000128529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.712{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\src\T1056.004.sln2022-02-04 09:07:38.712 11241100x8000000000000000128528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.696{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\bin\T1056.004x86.dll2022-02-04 09:07:38.696 11241100x8000000000000000128527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.696{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.004\bin\T1056.004x64.dll2022-02-04 09:07:38.696 11241100x8000000000000000128526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.680{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1056.001\src\Get-Keystrokes.ps12022-02-04 09:07:38.680 11241100x8000000000000000128525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.664{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055\src\x64\T1055-macrocode.txt2022-02-04 09:07:38.664 11241100x8000000000000000128524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.643{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.012\src\T1055.012-macrocode.txt2022-02-04 09:07:38.643 11241100x8000000000000000128523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.643{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.012\src\Start-Hollow.ps12022-02-04 09:07:38.643 11241100x8000000000000000128522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.628{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\src\x64\T1055.dll2022-02-04 09:07:38.628 11241100x8000000000000000128521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.628{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\src\Win32\T1055.dll2022-02-04 09:07:38.628 11241100x8000000000000000128520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:38.612{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.004\bin\T1055.exe2022-02-04 09:07:38.612 11241100x8000000000000000128519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.596{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.001\src\x64\T1055.001.dll2022-02-04 09:07:38.596 11241100x8000000000000000128518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.596{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1055.001\src\Win32\T1055.001.dll2022-02-04 09:07:38.596 23542300x8000000000000000128517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.565{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8A9B8B6A59CA032E4F4511B7E30C9298,SHA256=7068FD3132F3A3FC992B366192602BCFDA9C8687C67E6410C09BA13BFDAF9A5F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.543{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1053.005\src\T1053.005-macrocode.txt2022-02-04 09:07:38.543 23542300x8000000000000000128515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.527{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EBC7DF71AFA0B5F7E6EBBF6BED87428,SHA256=2F7141A112AA7591988C3BDFF212FB45D2A042F72E4B237EE7E330D980F6A7BF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:38.327{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1047\bin\calc.dll2022-02-04 09:07:38.327 11241100x8000000000000000128513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.243{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_test.bat2022-02-04 09:07:38.243 11241100x8000000000000000128512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.243{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_masquerading.vbs2022-02-04 09:07:38.243 11241100x8000000000000000128511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.243{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\src\T1036.003_masquerading.ps12022-02-04 09:07:38.243 11241100x8000000000000000128510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:38.227{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1036.003\bin\T1036.003.exe2022-02-04 09:07:38.227 11241100x8000000000000000128509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.196{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1027\src\T1027-cc-macro.xlsm2022-02-04 09:07:38.196 23542300x8000000000000000128508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.180{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=879BE0990BA9B2990B3D3136261B88CA,SHA256=6A123715CE2342D9A0005A3517599D96FC4BB9BAD4C5A70C9C30A8FC4755A109,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:38.165{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1027.004\bin\T1027.004_DynamicCompile.exe2022-02-04 09:07:38.165 11241100x8000000000000000128506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.065{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1016\src\top-128.txt2022-02-04 09:07:38.065 11241100x8000000000000000128505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.065{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1016\src\qakbot.bat2022-02-04 09:07:38.064 11241100x8000000000000000128602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.980{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1559.002\src\PowerShell_Script_For_DDE_Document.ps12022-02-04 09:07:39.980 23542300x8000000000000000128601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.934{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5F231BEA3635BE132363AF3B4EB565A,SHA256=FEF35D3B4B033CDFCFE22F6070BF89D1D8EC96847CD2D844050012793DD59C11,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.917{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1555\src\T1555-macrocode.txt2022-02-04 09:07:39.917 354300x8000000000000000128599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:38.394{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 11241100x8000000000000000128598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.817{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1548.002\src\T1548.002.bat2022-02-04 09:07:39.817 11241100x8000000000000000128597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.716{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.002\src\package\build.bat2022-02-04 09:07:39.715 11241100x8000000000000000128596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.697{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.002\src\install\install.csproj2022-02-04 09:07:39.696 11241100x8000000000000000128595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.680{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.002\bin\package.dll2022-02-04 09:07:39.680 11241100x8000000000000000128594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.648{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\vbsstartup.vbs2022-02-04 09:07:39.648 11241100x8000000000000000128593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.648{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\jsestartup.jse2022-02-04 09:07:39.648 11241100x8000000000000000128592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.648{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1547.001\src\batstartup.bat2022-02-04 09:07:39.648 23542300x8000000000000000128591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.582{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9E6C7BCA66DFBD16DD03B8D19698B37,SHA256=2B9C0A581FDDFDA78D5BAF68F9596C80433FBE995B6819B8B1D78CA493B52A94,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:39.562{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.011\bin\AtomicTest.exe2022-02-04 09:07:39.562 11241100x8000000000000000128589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.562{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.011\bin\AtomicTest.dll2022-02-04 09:07:39.562 11241100x8000000000000000128588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.547{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.010\bin\T1546.010x86.dll2022-02-04 09:07:39.547 11241100x8000000000000000128587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.547{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1546.010\bin\T1546.010.dll2022-02-04 09:07:39.547 11241100x8000000000000000128586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.500{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1543.003\bin\W64Time.dll2022-02-04 09:07:39.500 11241100x8000000000000000128585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:39.500{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1543.003\bin\AtomicService.exe2022-02-04 09:07:39.500 23542300x8000000000000000128584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.484{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=44C5686A7D37A27B7E7474E022F1E27E,SHA256=105ED61EACFEBB0F281D29785B332080497649B32EE4FC10E151B33BE7BA7F5B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.400{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1221\src\readme.txt2022-02-04 09:07:39.400 11241100x8000000000000000128582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.379{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1219\Bin\GoToCleanup.ps12022-02-04 09:07:39.379 11241100x8000000000000000128581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.363{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\x64\T1218.dll2022-02-04 09:07:39.363 11241100x8000000000000000128580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.363{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\Win32\T1218.dll2022-02-04 09:07:39.363 11241100x8000000000000000128579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.363{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218\src\Win32\T1218-2.dll2022-02-04 09:07:39.363 11241100x8000000000000000128578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.347{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.011\src\index.hta2022-02-04 09:07:39.347 11241100x8000000000000000128577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.347{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.011\src\akteullen.vbs2022-02-04 09:07:39.347 11241100x8000000000000000128576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.331{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.010\bin\AllTheThingsx86.dll2022-02-04 09:07:39.331 11241100x8000000000000000128575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.331{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.010\bin\AllTheThingsx64.dll2022-02-04 09:07:39.331 11241100x8000000000000000128574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.316{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.008\src\Win32\T1218-2.dll2022-02-04 09:07:39.316 11241100x8000000000000000128573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.300{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.007\src\x64\T1218.dll2022-02-04 09:07:39.300 23542300x8000000000000000128572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.284{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B6D1411FAB3649B0618BEF21A7F0F96A,SHA256=A61EFC23F9A23DA549F34151EB2A2F0E2FF85F6B9E94CCE61FE002ABF54956B8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.284{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.005\src\powershell.ps12022-02-04 09:07:39.284 11241100x8000000000000000128570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.281{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.005\src\T1218.005.hta2022-02-04 09:07:39.281 11241100x8000000000000000128569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.263{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.004\src\InstallUtilTestHarness.ps12022-02-04 09:07:39.263 11241100x8000000000000000128568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.247{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1218.001\src\T1218.001.chm2022-02-04 09:07:39.247 11241100x8000000000000000128567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.216{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\test9-example-payload.txt2022-02-04 09:07:39.216 11241100x8000000000000000128566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.216{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\test9-GenericPayloadDownload.txt2022-02-04 09:07:39.216 11241100x8000000000000000128565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.216{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\payload.txt2022-02-04 09:07:39.216 11241100x8000000000000000128564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.216{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\chromeexec-macrocode.txt2022-02-04 09:07:39.216 11241100x8000000000000000128563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.216{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1204.002\src\Invoke-MalDoc.ps12022-02-04 09:07:39.216 11241100x8000000000000000128562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.180{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1137.006\src\HelloWorldXll\HelloWorldXll.vcxproj2022-02-04 09:07:39.179 11241100x8000000000000000128561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.173{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1137.006\src\HelloWorldXll.sln2022-02-04 09:07:39.173 11241100x8000000000000000128560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.096{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1134.004\src\PPID-Spoof.ps12022-02-04 09:07:39.096 11241100x8000000000000000128559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:39.096{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1134.004\bin\calc.dll2022-02-04 09:07:39.096 11241100x8000000000000000128558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.096{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1134.002\src\GetToken.ps12022-02-04 09:07:39.096 11241100x8000000000000000128557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.065{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1133\src\list of vpn extension.txt2022-02-04 09:07:39.065 23542300x8000000000000000128556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.065{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D4C07A2CF53227D1C1634B471B296CF2,SHA256=00C1C35374CFC9FF81EA221735C6CB33C7A90B33D5E700FA26206BCB061F1BAD,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.042{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1127.001\src\T1127.001.csproj2022-02-04 09:07:39.042 23542300x8000000000000000128554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.027{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=008218A40AAA8055D47E2FD99F82EE00,SHA256=85570809BC58E62EE1536E6699557DBF719D525207FB48B1D09AD4C701E72BA8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.011{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1115\src\T1115-macrocode.txt2022-02-04 09:07:39.011 11241100x8000000000000000128552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:39.011{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1114.001\src\Get-Inbox.ps12022-02-04 09:07:39.011 10341000x8000000000000000128654Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.866{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128653Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.866{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128652Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.866{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128651Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.850{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E053-61FC-0100-000000002D02}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+2d0d6|C:\Windows\system32\lsasrv.dll+32919|C:\Windows\system32\lsasrv.dll+30267|C:\Windows\system32\lsasrv.dll+2f1f1|C:\Windows\system32\lsasrv.dll+1752d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000128650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.834{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.834{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.834{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.814{7942A313-ECBA-61FC-6E02-000000002D02}6820ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.797{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A90A9C2DA41AC386C71894D6CE39CBAD,SHA256=22877D766BC77FA2A83CA03506BDB9A67F114FF8B379F63D24D66BB9CC7122F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.750{7942A313-ECBB-61FC-7002-000000002D02}6780ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=CF809ABE1A76292E9751C7EA15A51465,SHA256=08A3749B7B5CE79B4FC86760A1DD1FCF25C5E07E2B7DF30B33BE693EB5F41CD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.581{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.565{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\master.zipMD5=53DAB9CF6DBD2C1882195CA0ABBB4B53,SHA256=3AA945CC8F720EB223B541A214AF79D20BC22E0A67437BC12CD1AA312C0E751E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\README.mdMD5=C986DF90B30B13C19541BA910683AA8A,SHA256=156953E92C1288D6B5260FC7549E7B54A851CA4F0ECA4AC0D77983BA14BBB63D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\LICENSE.txtMD5=DDA4F30CDD84D94A82586B61071F6AE3,SHA256=65AF6027045D23175366EAB50E460AB3EE7790E591CB84CC32C78AC63A4C90E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\Gemfile.lockMD5=0C2AC900393623D31CF64E19B6177354,SHA256=840602E97055DB4BC9ECAD71742016DA63EF9786363B38591F2A5938959F80B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\GemfileMD5=941AF0BA561B616259448F885700C638,SHA256=E5A60369F1C35923A4C0E570BBB8967B794819ACE8AAF6AD9BD91FD918C80498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\CODE_OF_CONDUCT.mdMD5=7311F0F35BD1BC42744C149C39799142,SHA256=0698E69796C939CA62A0CCBE3ED56D9427396FA3D2731372BA3E1DA259C1A476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic-red-team.gemspecMD5=72604DECAA8E4A06107E9A7B5D3EC171,SHA256=EE028FC7416B60DDCD87BD3AC86ED055F3D75ABAD55063438BA29E0E8AF16BBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.gitignoreMD5=B3F8DAD00BDF6EAEA090F9C201FCDD95,SHA256=5531CB6F62AF6427DB66909BF5420F0769E0D03D3AC4370EEFB2FB3AF6FC076F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.481{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\validate-atomics.rbMD5=1BFA06A740179BB9BF6E5B93E337061F,SHA256=36E960538A189FCF3B829D37CE4E7DAC7F8F9CBF0260757EB57CFDB59A87CC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.465{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\new-atomic.rbMD5=5F3E55769D07E098C7DBC8BE12A7C71A,SHA256=B86E046B7DD3AA1D675AED981802513263B3902C2F26B827B1671D5B1261E95D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.465{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\generate-guids.rbMD5=F9367D3F2E5E97A0DF032EDB7B7898A9,SHA256=8F8E2B7465FB26BDE3D48F95C8B9C12E75D481BD8577D054D11D699422AFF8E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.465{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\bin\generate-atomic-docs.rbMD5=5FAE0CB77220CB04BE803FEFE01765EE,SHA256=BA3082544E08DE610D3FA85BDEB63EBC0D605CA6A35BA41A7CD90D3973D225E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.465{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\spec.yamlMD5=C9EC4428641009D5148B034BC85049D9,SHA256=50D862AB81041F28C190454603ACC528302B9A51A2831C36F90D750676A96C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.465{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\enterprise-attack.jsonMD5=1529270E72BB9F28707FB4F24EE52371,SHA256=3B084E1B504FC18DCF72F8A930E3D276EEF1395BAE255B4FD0C8E4B9B286BC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\attack_api.rbMD5=8168663E485A4DC3476514864634A463,SHA256=75CDAD6F1810DBE6C2C007301BEBDB9687AE3C5F66896B7207AE60A95AA5AC8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_test_template.yamlMD5=8B1B85D4D0EC0804B3293EB71F93AA27,SHA256=B173CFB3A886F4CB2619188C1C6950FE5491370EEA18430B465702C4418AE8E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_red_team.rbMD5=D5E7BFD0A065E6E734006672A6D959FA,SHA256=F0709ECF072E5F57C221C09117F376BC7E552C07EC71073DD052450EB209B213,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_execution_template.html.erbMD5=D4908B1E39CC61772E5D74E5FB77D241,SHA256=03626549A59ABF648EE59163B3B8ACBF66C36513CB1E76D6E277BC044C926E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomic_red_team\atomic_doc_template.md.erbMD5=8AC3EABF72CC398DE52572DD72DEFA28,SHA256=4187243AD7872DD5DBF53B60C7208E81DA3E509FBB97AA7DFBA2071E8BEA70F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\pull_request_template.mdMD5=86EF896EED1FC3FB82AE37A48E4F8B88,SHA256=9E0B739CAAB0501BE480FECC661D313D1D4A90B41B09CC9C691D732C6E2DB636,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\website_change.mdMD5=1DCAB611952C77BC668437CBC1CB4764,SHA256=F9FEF93C89EA99CF773046583A1A1397B7C3A8B8CACE303557002F16E594E84A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.296{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\problem_report.mdMD5=A0F7603FCFB2D6D33C7EC6554403885A,SHA256=517D24689D745FAFFC6766A138B90C5864A8A490D7DA43978299F3D2ECC9B6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.280{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\new_atomic.mdMD5=F458CFDF043720C5E1DEF577E50C9C6F,SHA256=4A7F665168CC3A1D94BB5E30A5F240E95B821170EC627FB20A690F0EEFD05305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.280{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.github\ISSUE_TEMPLATE\idea.mdMD5=05897C3E94392BF4299FF1910CE41B9C,SHA256=1018F3AA597B70F05214DA4ED66C6646AAC5A7387D65FB37AC85344AC5E6E0A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.280{7942A313-ECBC-61FC-7502-000000002D02}6904ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\.circleci\config.ymlMD5=793F4A5543E5F5E049A2695117AB220E,SHA256=401A7E3CD9464CB7D8D97B659698FE0B280F99E6CDD33723FF625B4E0719D2EA,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.264{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\used_guids.txt2022-02-04 09:07:40.264 11241100x8000000000000000128617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:40.233{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\x64\Release\atomicNotepad.dll2022-02-04 09:07:40.233 11241100x8000000000000000128616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.217{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\atomicNotepad\atomicNotepad.vcxproj2022-02-04 09:07:40.217 11241100x8000000000000000128615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.217{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\src\atomicNotepad.sln2022-02-04 09:07:40.217 11241100x8000000000000000128614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:40.217{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.012\bin\T1574.012x64.dll2022-02-04 09:07:40.217 11241100x8000000000000000128613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:40.196{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.009\bin\WindowsServiceExample.exe2022-02-04 09:07:40.196 11241100x8000000000000000128612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:40.180{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.002\bin\libcurl.dll2022-02-04 09:07:40.180 11241100x8000000000000000128611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:40.165{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1574.002\bin\GUP.exe2022-02-04 09:07:40.165 23542300x8000000000000000128610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.149{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B202EBFDDE61B338540D6B0833E91DBB,SHA256=7FA9E871CB13358A67322E79554B9EA2DB1FF21635AA3727ED5DDB8045FD4D36,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.149{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1572\src\T1572-doh-domain-length.ps12022-02-04 09:07:40.149 11241100x8000000000000000128608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.149{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1572\src\T1572-doh-beacon.ps12022-02-04 09:07:40.149 11241100x8000000000000000128607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.115{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1566.001\bin\PhishingAttachment.xlsm2022-02-04 09:07:40.115 11241100x8000000000000000128606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.095{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1564\src\T1564-macrocode.txt2022-02-04 09:07:40.095 11241100x8000000000000000128605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.085{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1564.004\src\test.ps12022-02-04 09:07:40.085 23542300x8000000000000000128604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:40.085{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAD7C43F59FDD02ABE66E9BF7CA3B82,SHA256=5199690BE878B8BA31E08A8C780FF259D4544167F427585D679B76DEF370000C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localEXE2022-02-04 09:07:40.033{7942A313-ECBC-61FC-7502-000000002D02}6904C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-master\atomics\T1562.004\bin\AtomicTest.exe2022-02-04 09:07:40.033 23542300x8000000000000000128738Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.918{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CCABF0E57ED7479460DCEF27FD5E4A,SHA256=98FF6CBBEDAEE4B404EC203EFE843A3DC3298578ED76F00A983C11C66FF61595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128737Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.896{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDD-61FC-8202-000000002D02}7156C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128736Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128735Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128734Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128733Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128732Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-8202-000000002D02}7156C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128731Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.881{7942A313-ECDD-61FC-8102-000000002D02}74207520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECDD-61FC-8202-000000002D02}7156C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1558363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15578d5(wow64) 154100x8000000000000000128730Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.893{7942A313-ECDD-61FC-8202-000000002D02}7156C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000128729Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.865{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128728Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.865{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128727Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.865{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128726Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.849{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F71BE82F4060011A17F38C89AC672B6C,SHA256=D95D5989540B75B9080C5343A9C200EDB0869E7322656698D0E2C0892D05FA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128725Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.849{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED86821AA221A23987EB8CF5551B7ACA,SHA256=29C92BC85219B2BAA88B15CE47D7128445BA9031C53375E7A8CAF18AFD9996D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128724Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.818{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E6F0506AB9CC64B1C2ADFE36AA121A24,SHA256=2B56CAF00EC74661D2754C1249D0848FC2054099688D0479222F88D4243FC6DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128723Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.765{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128722Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.765{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128721Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:41.734{7942A313-ECDD-61FC-8102-000000002D02}7420\PSHost.132884392615777631.7420.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128720Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.718{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5chf31oz.bh0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128719Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.718{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uhk0fl3p.flc.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128718Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.697{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uhk0fl3p.flc.ps12022-02-04 09:07:41.697 10341000x8000000000000000128717Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.652{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128716Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.634{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128715Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.618{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128714Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.581{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128713Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128712Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128711Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128710Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128709Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128708Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.567{7942A313-ECDD-61FC-8002-000000002D02}73407416C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+5d58cf9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dc152|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dbd8d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+5ca40bb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+5198cff|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51fc771|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51de780|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51de780|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51de611|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51cf331|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dc873|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dc440|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dc152|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51dbd8d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+5ca40bb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51c1038|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+51c05aa 154100x8000000000000000128707Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.577{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000128706Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.496{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128705Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.496{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128704Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:41.465{7942A313-ECDD-61FC-8002-000000002D02}7340\PSHost.132884392613210014.7340.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128703Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.449{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2C07043AF6D5E301F89C98FE651BC72,SHA256=E7E62331539CEEE9B422407D9E3A402F5BCA5A045367AA559B3C43470951A69A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128702Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.449{7942A313-ECDD-61FC-8002-000000002D02}7340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_t5zjobhf.cvp.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128701Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.449{7942A313-ECDD-61FC-8002-000000002D02}7340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cz00zj0u.eik.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128700Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.412{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cz00zj0u.eik.ps12022-02-04 09:07:41.396 10341000x8000000000000000128699Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.396{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128698Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.381{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128697Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.349{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128696Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128695Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128694Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128693Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128692Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128691Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128690Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128689Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128688Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128687Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.318{7942A313-ECDD-61FC-7F02-000000002D02}73327336C:\Windows\system32\cmd.exe{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128686Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.321{7942A313-ECDD-61FC-8002-000000002D02}7340C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECDD-61FC-7F02-000000002D02}7332C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000128685Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.316{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDD-61FC-7F02-000000002D02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128684Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128683Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128682Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128681Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-7F02-000000002D02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128680Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128679Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-ECDD-61FC-7D02-000000002D02}69525224C:\Windows\system32\WinrsHost.exe{7942A313-ECDD-61FC-7F02-000000002D02}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000128678Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.308{7942A313-ECDD-61FC-7F02-000000002D02}7332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000128677Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128676Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128675Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.296{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128674Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.281{7942A313-E05A-61FC-1400-000000002D02}9641412C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000128673Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.265{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128672Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.250{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128671Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.234{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-7E02-000000002D02}6572C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128670Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.234{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128669Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.234{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128668Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128667Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128666Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128665Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128664Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.232{7942A313-ECDD-61FC-7D02-000000002D02}6952C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000128663Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128662Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.218{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-7C02-000000002D02}6488C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128661Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDD-61FC-7C02-000000002D02}6488C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128660Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-ECDD-61FC-7C02-000000002D02}6488C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128659Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128658Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128657Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128656Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128655Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.097{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7ACDBE90349E39B9A7EDEC264939B4F,SHA256=D5FAB92A56D1243AA91296128AF18FE1D38601BC456729D73186ED8C234EAF73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128778Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.198{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49417-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 354300x8000000000000000128777Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.197{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local49417-truefe80:0:0:0:d08a:14f6:33fc:643bwin-dc-tcontreras-attack-range-492.attackrange.local445microsoft-ds 23542300x8000000000000000128776Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.881{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F71BE82F4060011A17F38C89AC672B6C,SHA256=D95D5989540B75B9080C5343A9C200EDB0869E7322656698D0E2C0892D05FA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128775Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.797{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.outMD5=5A7B1EF1844F9E48651CCAEA499A464F,SHA256=CF6A784B7837F7AE4451CC89B25093A7C77DA27F68115E70849122C780553838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128774Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.797{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.pdbMD5=7A29BB48EC2651126A6DA65780ECDD81,SHA256=7D434614D39AEBB755C840C9686D7E74563F24C86984EE5F7FD6E6792CCB0AAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128773Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.797{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.dllMD5=8B68CE30EB4502FC206A08B0884F80DC,SHA256=DADAF0D9BAEDC4240B6BF853020DB0EB5D723046146FDE998AAF1BFA6AF8A91B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128772Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.797{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.cmdlineMD5=4F26182FAEBC5612A209AC465253170D,SHA256=8930AB958B3B790558089E55F4AD1A016E90DEB1D47F774F23E727F66BBDE040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128771Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.781{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128770Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.781{7942A313-ECDE-61FC-8302-000000002D02}6936ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC26AA1C9F334E48B19336DFDBF84247A.TMPMD5=3AC3DB90FB5CDD8C17C0B7C2283986A6,SHA256=E6D5B10FC3906DF64B1FE618EA9110DD363D945C76E3DB9F0A2792A446176248,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128769Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:42.781{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.dll2022-02-04 09:07:42.518 23542300x8000000000000000128768Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.781{7942A313-ECDE-61FC-8302-000000002D02}6936ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128767Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.766{7942A313-ECDE-61FC-8302-000000002D02}6936ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES5FC.tmpMD5=5B2BA94D9B1B567016CB2362A23D9941,SHA256=F809B04B6120077ED51B18723BA0083F50ED5C1CF0FBE8B3F80BED8F1C73EE29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128766Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.766{7942A313-ECDE-61FC-8402-000000002D02}7072ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES5FC.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128765Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.750{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDE-61FC-8402-000000002D02}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128764Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.750{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128763Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.750{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128762Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.750{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128761Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.734{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128760Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.734{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECDE-61FC-8402-000000002D02}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128759Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.734{7942A313-ECDE-61FC-8302-000000002D02}69367112C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECDE-61FC-8402-000000002D02}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128758Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.749{7942A313-ECDE-61FC-8402-000000002D02}7072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES5FC.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC26AA1C9F334E48B19336DFDBF84247A.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\pxwnsyo4.cmdline" 23542300x8000000000000000128757Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.666{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=99180DA7516C6C21C5400B4D916C19A8,SHA256=453CEFBD204CA0136EAFC72C523729F6D8B16F138E9D89372FE9B7B32BEA1882,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128756Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128755Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128754Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128753Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128752Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128751Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128750Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-ECDD-61FC-8102-000000002D02}74207520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9912B6EF) 154100x8000000000000000128749Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.521{7942A313-ECDE-61FC-8302-000000002D02}6936C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\pxwnsyo4.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000128748Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.519{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.cmdline2022-02-04 09:07:42.519 11241100x8000000000000000128747Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:42.518{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwnsyo4.dll2022-02-04 09:07:42.518 10341000x8000000000000000128746Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.515{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128745Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.515{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128744Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.512{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128743Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.415{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4E07DAA930B416A0091CE41EAF79DFB4,SHA256=B80C04CAF845FD53FD9336A8DCDEA86B0CAF3B7D9F62AD53EA6A51A1CB3C478D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128742Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.234{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A297C416BB6E0A7ECD1A1BB4268D8903,SHA256=E3C4834FFE19FD17348B755FB2B5A46401A9E65D9C9159368B8C0EAF08787463,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128741Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.234{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B6F11C19E38AA95D846D9918152BCF0D,SHA256=EDBF59432A10ABBA92E71FBDBBF421C115640F9B3628BF7CAD874C8FDE7948FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128740Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.134{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128739Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:42.118{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E652986B68A2D00A2F6B956088472092,SHA256=092FA11EAEFD9CDAFB9EECA8FD24838B7FE49D6C97338D8DF679F5D81E2C4088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128799Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.952{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABC2DD9F66EE9E6EE757929418D792E4,SHA256=423CBC5BE73716A842A6A57217CB83129148CB6E2B9CB6573FDF190CC3D40B31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128798Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:41.493{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50464-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 10341000x8000000000000000128797Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.567{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128796Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.567{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128795Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:43.520{7942A313-ECDF-61FC-8502-000000002D02}7552\PSHost.132884392633098238.7552.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128794Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.498{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_h2hqsk3w.aep.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128793Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.498{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fetv5o42.gtv.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128792Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.452{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_fetv5o42.gtv.ps12022-02-04 09:07:43.452 10341000x8000000000000000128791Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.420{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128790Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.399{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128789Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.383{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128788Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.315{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128787Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128786Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128785Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128784Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128783Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128782Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.298{7942A313-ECDD-61FC-8102-000000002D02}74207300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98EBBF90) 154100x8000000000000000128781Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.309{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMAC:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECDD-61FC-8102-000000002D02}7420C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000128780Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.251{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76AFA3622E63C384CA9E51166223C572,SHA256=0A96336258539A196E28114DAC9604006E26C071F8245816F82B4BDBA188300D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128779Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.251{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=164E624584142A0AEABF8D5B7BC558E7,SHA256=EF0BBC850DBC52D923E11AEDB0217E92D6407393216C5007153F670AC73CFEA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128858Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.970{7942A313-E5D0-61FC-3501-000000002D02}41684264C:\Windows\Explorer.EXE{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a20|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8005BC58FF8)|UNKNOWN(FFFFB49CA6EA5B48)|UNKNOWN(FFFFB49CA6EA5CC7)|UNKNOWN(FFFFB49CA6EA0351)|UNKNOWN(FFFFB49CA6EA1D1A)|UNKNOWN(FFFFB49CA6E9FFD6)|UNKNOWN(FFFFF8005B970503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad 10341000x8000000000000000128857Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.970{7942A313-E5D0-61FC-3501-000000002D02}41684264C:\Windows\Explorer.EXE{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55501|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8005BC58FF8)|UNKNOWN(FFFFB49CA6EA5B48)|UNKNOWN(FFFFB49CA6EA5CC7)|UNKNOWN(FFFFB49CA6EA0351)|UNKNOWN(FFFFB49CA6EA1D1A)|UNKNOWN(FFFFB49CA6E9FFD6)|UNKNOWN(FFFFF8005B970503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5928b|C:\Windows\System32\SHELL32.dll+dac4a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128856Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.954{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF310ea7.TMPMD5=668C4BD8A2ADBDC1F9D4A5E47B42838F,SHA256=1F2ECB804BEA7F0A777944762722A15A2AB97236216887DCDC1F909A700FED39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128855Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.954{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=23499D99566DEB9CAF26448AA0E345C6,SHA256=93920861D7FCEE6153DAD5A7CBEAAFD989139D1FCDAB31B57E663A1BEE06B46A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128854Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.454{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE0-61FC-8902-000000002D02}7820C:\Windows\system32\whoami.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128853Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.438{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A8A858785B2E19AAFC22325E5C950554,SHA256=68C645406AF5ADDAE11833BE6DAB4AEB6BE784D8673A9D16E8E393D4457654A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128852Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECE0-61FC-8902-000000002D02}7820C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128851Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128850Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128849Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128848Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128847Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE0-61FC-8902-000000002D02}7820C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000128846Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ADB0E707BED89C7C304426E71B90284,SHA256=1D3FD85B53451AD76EF7C099B2DC7A9EEC26676E533A6919ED5ACB9EF5620027,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128845Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-ECDF-61FC-8502-000000002D02}75527688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE0-61FC-8902-000000002D02}7820C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e21a0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16230bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20eb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15e002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1643a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e162593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e161665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16230bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20eb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15e002d(wow64) 154100x8000000000000000128844Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.422{7942A313-ECE0-61FC-8902-000000002D02}7820C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 23542300x8000000000000000128843Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7127CC6375D0BA29302C2C4E0BDB01B9,SHA256=402157B86313217C27F5B834119AC3E652BD369FCD14CFDD772FFCF5DDA35C50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128842Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778B7F357D4B91FF8A91B543151FEA6C,SHA256=76AB5AB9259C79855FA437892A272AC860B8D0F7931129E40458040907AD7EE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128841Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FBCD19D8289BBA58A931DBD2EE90A095,SHA256=44E363FE6BB1EBB0DDCCB45AD43E5A7EDE2AB459E947317F1292D3EC5C5454B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128840Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECE0-61FC-8802-000000002D02}6436C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128839Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128838Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128837Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128836Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128835Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE0-61FC-8802-000000002D02}6436C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128834Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-ECDF-61FC-8502-000000002D02}75527688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE0-61FC-8802-000000002D02}6436C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e21a0027(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16230bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20eb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15e002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1643a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e162593f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e161665f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623ba1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623713(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16230bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20eb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15e002d(wow64) 154100x8000000000000000128833Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.386{7942A313-ECE0-61FC-8802-000000002D02}6436C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 23542300x8000000000000000128832Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.385{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5043B4B2395864E4DF2C2C09E93B720,SHA256=8D27F673982DE6A98CDAEE821C2FE692F099B9ECE7C2ACE17BFD5BE0A38CFF66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128831Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.338{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128830Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.322{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128829Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.252{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\cache2\indexMD5=B0442E0A3882DDF0167A83C038D1D3A5,SHA256=F0E5ADD0ABE920F2650BAD765FEEE27C64658707D1B2588831D4D3BC7CE06C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128828Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.153{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.cmdlineMD5=0E02D483B3CB517EDAF27B3D1E5B36AD,SHA256=8139D82AC9E6A415A1818CCD6D5ADD8BFD9938823D73EAF1F90F0B2440342610,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128827Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.153{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128826Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.153{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.dllMD5=9A659BC21503C498090E0EA8D4799119,SHA256=8DEA9210D8EDEBF496D261F181193A76A4D8B13031E0965F8A1ABC3A00EC6454,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128825Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.137{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.outMD5=87CAA602BFCA77E866D3D725CB61C5A0,SHA256=F737A7FF7CA43B5F9DD739CCF20BAF4B2CE0DF273287DD15241382BBE9205D0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128824Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.137{7942A313-ECE0-61FC-8602-000000002D02}7708ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\CSC87B38C0EA30C4F9B833C4CD67DB9EF98.TMPMD5=6CBE4D1D027C79B5427230A475685B87,SHA256=7FD6789EAEF90E908D510799B02A181C3D98B5859E6DDC1CE77C700BACA19587,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128823Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:44.137{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.dll2022-02-04 09:07:44.037 23542300x8000000000000000128822Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.137{7942A313-ECE0-61FC-8602-000000002D02}7708ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128821Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.137{7942A313-ECE0-61FC-8602-000000002D02}7708ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESB6B.tmpMD5=5A6DF4E2F94EC7D2C3A536AA9F012262,SHA256=024FDDEE13BB432FC70A8108D62349F35F5167E6736E11AEB681C8E3019D6219,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128820Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-ECE0-61FC-8702-000000002D02}7732ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RESB6B.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128819Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECE0-61FC-8702-000000002D02}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128818Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128817Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128816Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE0-61FC-8702-000000002D02}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128815Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128814Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128813Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.121{7942A313-ECE0-61FC-8602-000000002D02}77087712C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECE0-61FC-8702-000000002D02}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128812Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.124{7942A313-ECE0-61FC-8702-000000002D02}7732C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESB6B.tmp" "c:\Users\Administrator\AppData\Local\Temp\vvm15jk1\CSC87B38C0EA30C4F9B833C4CD67DB9EF98.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.cmdline" 11241100x8000000000000000128811Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.117{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\SiteSecurityServiceState.txt2022-02-03 16:36:33.848 23542300x8000000000000000128810Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.116{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\SiteSecurityServiceState.txtMD5=D3A4DB1D6999EAEE19977D2C51BDA387,SHA256=97FD594248BFF5BDB8B66A030B5D13063B708BEABA73F1667AFAE89505FC9F66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128809Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-ECDD-61FC-7E02-000000002D02}65727236C:\Windows\system32\conhost.exe{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128808Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128807Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128806Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128805Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128804Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128803Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-ECDF-61FC-8502-000000002D02}75527688C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|UNKNOWN(000001D154511671)|UNKNOWN(000001D154511671)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16494be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1623480(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e16230bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20eb3e9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15e002d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1643a9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1625aae(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e162593f(wow64) 154100x8000000000000000128802Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.044{7942A313-ECE0-61FC-8602-000000002D02}7708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECDD-61FC-6754-210000000000}0x2154670HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEcAZQB0AFAAcgBlAHIAZQBxAHMA 11241100x8000000000000000128801Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.037{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.cmdline2022-02-04 09:07:44.037 11241100x8000000000000000128800Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:44.037{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\vvm15jk1\vvm15jk1.dll2022-02-04 09:07:44.037 23542300x8000000000000000128921Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.979{7942A313-ECE1-61FC-8D02-000000002D02}8032ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_p4j5zukj.55j.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128920Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.979{7942A313-ECE1-61FC-8D02-000000002D02}8032ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2efdsuor.xn5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128919Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.979{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3BBB1A234741DAB5B2D7B9AA881ADBF,SHA256=E78EFBF619711B4E998CDA6E3B69B44E39B7172A55BDA8A2AF1114937520FE0F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128918Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.944{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2efdsuor.xn5.ps12022-02-04 09:07:45.943 10341000x8000000000000000128917Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.910{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128916Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.895{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128915Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.879{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128914Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.848{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128913Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.848{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128912Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.848{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128911Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.848{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128910Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.844{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128909Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.843{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128908Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.842{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128907Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.842{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128906Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.842{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128905Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.842{7942A313-ECE1-61FC-8C02-000000002D02}80168024C:\Windows\system32\cmd.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128904Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.841{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE1-61FC-8C02-000000002D02}8016C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000128903Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE1-61FC-8C02-000000002D02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128902Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128901Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128900Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128899Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128898Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE1-61FC-8C02-000000002D02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128897Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-ECE1-61FC-8A02-000000002D02}79484428C:\Windows\system32\WinrsHost.exe{7942A313-ECE1-61FC-8C02-000000002D02}8016C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000128896Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.830{7942A313-ECE1-61FC-8C02-000000002D02}8016C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000128895Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128894Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128893Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.825{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128892Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.809{7942A313-E05A-61FC-1400-000000002D02}9644604C:\Windows\system32\svchost.exe{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000128891Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.794{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128890Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.764{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128889Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.744{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE1-61FC-8B02-000000002D02}7516C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128888Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128887Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128886Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128885Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128884Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128883Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.725{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128882Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.732{7942A313-ECE1-61FC-8A02-000000002D02}7948C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000128881Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.709{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128880Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.709{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128879Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.709{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128878Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.709{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128877Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.709{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128876Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.525{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128875Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.525{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128874Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.525{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128873Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.510{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128872Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.510{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128871Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.510{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128870Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.478{7942A313-ECDD-61FC-8002-000000002D02}7340ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128869Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.447{7942A313-ECDD-61FC-8102-000000002D02}7420ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=33BFF218FD8B5198ABB691ED6128FCB4,SHA256=DB507A0506A3CCE391792299D76C60A29BC0BFFB46A9736BD0589266B5AC66D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128868Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.393{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7C3C0F8AA3CCCE9104A7AF07A3C69B06,SHA256=F0A40C6D638FF245560620966538977D002D75D4EA0C1886BA1247A82FBFAF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128867Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.320{7942A313-ECDF-61FC-8502-000000002D02}7552ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128866Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.309{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128865Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.307{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128864Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.305{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128863Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.299{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD30BC265AA0A16374A5421FA324C7EC,SHA256=A4DE7DC5AAC83D3AA84AA6B179E741292734B305A0450D5520CA4E86E75AA85A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128862Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.297{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128861Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.296{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128860Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.294{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECDF-61FC-8502-000000002D02}7552C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000128859Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:43.548{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000128960Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.732{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A297C416BB6E0A7ECD1A1BB4268D8903,SHA256=E3C4834FFE19FD17348B755FB2B5A46401A9E65D9C9159368B8C0EAF08787463,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128959Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.683{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128958Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.548{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60FE200D0E3052D6DA877D56A1F7DD03,SHA256=EED5773E377D4EB1C926A9F3A1BC1A72042961C7E327E92FE298106DD8E53D30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128957Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE2-61FC-8F02-000000002D02}7288C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128956Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128955Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128954Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE2-61FC-8F02-000000002D02}7288C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128953Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128952Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128951Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-ECE2-61FC-8E02-000000002D02}69767000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE2-61FC-8F02-000000002D02}7288C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1558363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15578d5(wow64) 154100x8000000000000000128950Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.416{7942A313-ECE2-61FC-8F02-000000002D02}7288C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000128949Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128948Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128947Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.412{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128946Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.328{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128945Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.328{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000128944Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.296{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3250A577FE28C257D56C3EC044F7A527,SHA256=204FEB52DB88953515C103D0FD52CB48B0FAF3A42E4E5A184A81A20D2E33DA61,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000128943Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:46.280{7942A313-ECE2-61FC-8E02-000000002D02}6976\PSHost.132884392661576944.6976.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128942Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.249{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_p1zgfnju.laz.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128941Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.249{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cpai22ks.jdf.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128940Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.244{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=136EE37F910EC48D0874FE00B79E8FB6,SHA256=DAFD7897F4D72324FBAC8D5D462B98C0CDFC888E8AAD8FC8D2826E1C8525F8C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128939Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.227{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_cpai22ks.jdf.ps12022-02-04 09:07:46.227 10341000x8000000000000000128938Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.212{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128937Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.196{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128936Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.180{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128935Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128934Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128933Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128932Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128931Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128930Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128929Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.149{7942A313-ECE1-61FC-8D02-000000002D02}80328132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1558363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15578d5(wow64) 154100x8000000000000000128928Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.157{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000128927Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.064{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128926Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.064{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE1-61FC-8D02-000000002D02}8032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000128925Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:46.026{7942A313-ECE1-61FC-8D02-000000002D02}8032\PSHost.132884392658416491.8032.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000128924Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.026{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A24302453F4F7F33FA3582B069F10A15,SHA256=6C182DA4F661C90724B43775C1D6D235A98F148846C1507A9FDBF9040F65FF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000128923Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.599{7942A313-E82C-61FC-9101-000000002D02}4948C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49419-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 354300x8000000000000000128922Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:44.593{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local57429- 354300x8000000000000000129018Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.818{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local51929- 354300x8000000000000000129017Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.817{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53796- 354300x8000000000000000129016Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.815{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local59408- 354300x8000000000000000129015Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:46.815{7942A313-E06B-61FC-2900-000000002D02}2924C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local52791- 354300x8000000000000000129014Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:45.995{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50467-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 10341000x8000000000000000129013Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.677{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129012Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.676{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000129011Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:47.640{7942A313-ECE3-61FC-9202-000000002D02}6300\PSHost.132884392674919543.6300.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000129010Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.625{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hnillgt2.ikk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129009Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.625{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ip3de4td.kqm.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129008Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.609{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_ip3de4td.kqm.ps12022-02-04 09:07:47.609 10341000x8000000000000000129007Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.578{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129006Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.578{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129005Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.542{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129004Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.511{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129003Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129002Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129001Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129000Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128999Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128998Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.479{7942A313-ECE2-61FC-8E02-000000002D02}69766848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98EBBF90) 154100x8000000000000000128997Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.491{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000128996Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.409{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=06314847D8C3921AE0A653D94D2E9F4D,SHA256=F48A4C082B11D9FBF1E7C885213985404C2680AA4403CAD42AB29C89C412E372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128995Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.309{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D481AD8A61EDDBC5F4D17B9D84BE4770,SHA256=EA37D965BB5E982E813B646FEF5D28D50F2E64E6DBD135C4F44BD2D53D60BA85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128994Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.240{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F36B78CF2AB351540E1C639E3511407D,SHA256=E68AE299677F07471EFBD0522DAE05D2384FF96E368E22A3B1A0B3B82C959AEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128993Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.209{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.dllMD5=F58F9A0CFA45C8DADDE29F02E7BB1EFF,SHA256=FE5933E753E5C652D9C25EE11BF9A07C3CC87E77EA459F05CF52D68E74BE7409,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000128992Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.209{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.pdbMD5=CF093967B72464F80B5CD16CEB0326C2,SHA256=8327AB724B141FE2EFE734980E77DC0BEFCEFA9BB76B926FA25BF524A9634619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128991Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.209{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128990Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.209{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.outMD5=B94437455115BBD32F89836B056799E7,SHA256=CE9CDD46B42C38FBCE5B36DB12F2D9F6D427B25F4C65E0BE0514A29965EA1E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128989Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.209{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.cmdlineMD5=D611121DFB707C53A63426AE26C4BBC4,SHA256=A175B688A56BFF402B25220B51E12FB0D3899A3AC45140AE5CACDBA3EAC35EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128988Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.193{7942A313-ECE3-61FC-9002-000000002D02}6532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC424A1C17EA5542F8B67B46CD7A394836.TMPMD5=1C82CCED42858AB9744535819A7616D5,SHA256=A0C5222E1C0A87EF330F85D403200C18216F8930874A2B98F940B0287F949039,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000128987Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:47.193{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.dll2022-02-04 09:07:47.059 23542300x8000000000000000128986Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.193{7942A313-ECE3-61FC-9002-000000002D02}6532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128985Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.193{7942A313-ECE3-61FC-9002-000000002D02}6532ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1762.tmpMD5=69E543C467B659D81EADE764F0FD5792,SHA256=FE38438F17456684351BFD15AC9768222156106C2DCBD44437B99D8F91569834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128984Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-ECE3-61FC-9102-000000002D02}8136ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1762.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128983Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE3-61FC-9102-000000002D02}8136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128982Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128981Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128980Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128979Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128978Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE3-61FC-9102-000000002D02}8136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128977Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-ECE3-61FC-9002-000000002D02}65326396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECE3-61FC-9102-000000002D02}8136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000128976Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.177{7942A313-ECE3-61FC-9102-000000002D02}8136C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1762.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC424A1C17EA5542F8B67B46CD7A394836.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\lpasym1v.cmdline" 23542300x8000000000000000128975Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.093{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7B3E29296580A681AD0A27EC06E26A78,SHA256=9054C4C8DC8067F4CD1AFB7D515E08DFE1DAE7C36BDB708D6FB748F2048FADE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000128974Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.093{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=886B3727DE992292947DC6B2105DE749,SHA256=FC807DF454C108901F92F278449A453DA922B6087ACD2FDE0916A74E100EDFDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000128973Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.065{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128972Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128971Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128970Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128969Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.062{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128968Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.061{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000128967Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.061{7942A313-ECE2-61FC-8E02-000000002D02}69767000C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9912C47F) 154100x8000000000000000128966Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.061{7942A313-ECE3-61FC-9002-000000002D02}6532C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\lpasym1v.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000128965Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.059{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.cmdline2022-02-04 09:07:47.059 11241100x8000000000000000128964Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:47.059{7942A313-ECE2-61FC-8E02-000000002D02}6976C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\lpasym1v.dll2022-02-04 09:07:47.059 10341000x8000000000000000128963Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.043{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128962Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.043{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000128961Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:47.040{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129074Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.442{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE4-61FC-9602-000000002D02}7880C:\Windows\system32\whoami.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129073Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE4-61FC-9602-000000002D02}7880C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129072Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129071Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129070Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129069Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129068Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE4-61FC-9602-000000002D02}7880C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129067Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.427{7942A313-ECE3-61FC-9202-000000002D02}63006696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE4-61FC-9602-000000002D02}7880C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64) 154100x8000000000000000129066Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.436{7942A313-ECE4-61FC-9602-000000002D02}7880C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x8000000000000000129065Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE4-61FC-9502-000000002D02}6460C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129064Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129063Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129062Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129061Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129060Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE4-61FC-9502-000000002D02}6460C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129059Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.411{7942A313-ECE3-61FC-9202-000000002D02}63006696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE4-61FC-9502-000000002D02}6460C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64) 154100x8000000000000000129058Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.422{7942A313-ECE4-61FC-9502-000000002D02}6460C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 10341000x8000000000000000129057Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.396{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129056Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.396{7942A313-E057-61FC-0B00-000000002D02}632796C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129055Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.326{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5605D5614EA74E6B11A1555B4C63B60C,SHA256=0FB5AC7901A68D6A0B01E8D87F0DB6783C41559A4694FFF5C11F499303516943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129054Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.311{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E726E3D102142472C35AE7C582443,SHA256=608F8D3672E19E89148F0683279A9C66CC9688E7E71231DD4F7E2A8C078708D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129053Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.311{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2ACDA398EB4927B46F644BA1B42A188D,SHA256=B1D18FD2F178869B3B2DE81391AE03DDB747EFFA10C8F8C91162914D82B88A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129052Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.295{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=866CB5233A0BA5EF8BA3DF643DF6973E,SHA256=E940A1117FAFDB613E132B6F59791B8FBD144B8799FFC0042007DF702DC3C2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129051Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.295{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B7852CB3E5D8AFE963CBCA4BF511286,SHA256=352C9AB0F6CA9FF3CEEE7EFFB3931B7EF9BFC853D642A1364C563199C80814DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129050Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.280{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FE1B5410378362F51FD549F0FB8C5CA2,SHA256=6A73E6B3D162F365EC823275A2AAA30C96D0713F2DC56A2F6353985A2135C58F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129049Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.242{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57423A0B102FEAD995A6A93E94B1B66,SHA256=D59ACD0EB3CE6226661F4A2318634C320E0132F9E84103C4F29C70A20F1AE01F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129048Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.227{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.dllMD5=CE4DFC0305CCD150095438DD10AE0613,SHA256=58AF8553FF57DF43E1A424EFC1372835956F1C0DE53B0675B5847D601F720CE5,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000129047Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.227{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.cmdlineMD5=227915A6AA914363C73D41BF8A0CF41F,SHA256=502623FF5D51339EBCFCB65904A616697A7D2248BEADDCB98D92473F282FB74F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129046Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.211{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.outMD5=CB3AD1E1C58286C6FBCA749C4A4E6473,SHA256=09850E96FFE3F772A4C37F6B353C8339400DD2DCF510BDA91504DF2D7227A94D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129045Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.211{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129044Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.211{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F944D5BE3E22DA1EE47B1FBCE009E0C5,SHA256=C2AB7BFF197A575538EE4F54EA103B2A937ECAE9E4FA86CA104F99ABC25A7142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129043Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.211{7942A313-ECE4-61FC-9302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\CSC177501ACDC374E609255FE11222C9A6.TMPMD5=78D858E1B192C21ABBC497655862D324,SHA256=31CF8034EB47E8A39A20A20850907BD603D9CF4DD5AF4E6E3C3A6E939796F9FF,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129042Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:48.211{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.dll2022-02-04 09:07:48.111 23542300x8000000000000000129041Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE4-61FC-9302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129040Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE4-61FC-9302-000000002D02}6888ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1B4A.tmpMD5=B0D0D2A952E6F8DEFA63E8177C6E6A98,SHA256=A604E4C1A141D8B1C6A0F65B0AB75D9DB587CCC262664EE9D72222CA96CA7437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129039Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE4-61FC-9402-000000002D02}7008ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES1B4A.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129038Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE4-61FC-9402-000000002D02}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129037Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129036Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129035Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE4-61FC-9402-000000002D02}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129034Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129033Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129032Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE4-61FC-9302-000000002D02}68881932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECE4-61FC-9402-000000002D02}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129031Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.195{7942A313-ECE4-61FC-9402-000000002D02}7008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1B4A.tmp" "c:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\CSC177501ACDC374E609255FE11222C9A6.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.cmdline" 10341000x8000000000000000129030Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129029Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129028Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129027Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129026Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129025Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129024Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-ECE3-61FC-9202-000000002D02}63006696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+2ca0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3d53105c9e15534f7b6f1cd8e0ea0e89\Microsoft.PowerShell.Commands.Utility.ni.dll+2ca0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15994bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64) 154100x8000000000000000129023Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.122{7942A313-ECE4-61FC-9302-000000002D02}6888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 11241100x8000000000000000129022Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.cmdline2022-02-04 09:07:48.111 11241100x8000000000000000129021Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:48.111{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\0oq4c2rr\0oq4c2rr.dll2022-02-04 09:07:48.111 23542300x8000000000000000129020Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.111{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=91B03A41984CE4EB5BE57C3C868CA8B2,SHA256=8FDEC50591CA0D2F64ACB7662A61D4AE8DBDF7692A9D9B2FA5FEE85CDF1B842E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129019Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:48.058{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A7532D51981543710180BE363624C4,SHA256=6C1C29CBB7AFAF9E93663FA377D75418FDD1571D7603B1997308CA9CCA3F3770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129163Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.998{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129162Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.977{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129161Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.977{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129160Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.974{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129159Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129158Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129157Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129156Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129155Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129154Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129153Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-ECE5-61FC-9C02-000000002D02}6856520C:\Windows\system32\cmd.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129152Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.967{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE5-61FC-9C02-000000002D02}6856C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000129151Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9C02-000000002D02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129150Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129149Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129148Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129147Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129146Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9C02-000000002D02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129145Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.958{7942A313-ECE5-61FC-9A02-000000002D02}71807256C:\Windows\system32\WinrsHost.exe{7942A313-ECE5-61FC-9C02-000000002D02}6856C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54179|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+651cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+397f8|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+3534e|C:\Windows\System32\RPCRT4.dll+20cc7|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb 154100x8000000000000000129144Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.957{7942A313-ECE5-61FC-9C02-000000002D02}6856C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x8000000000000000129143Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.942{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129142Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.942{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129141Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.942{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129140Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.926{7942A313-E05A-61FC-1400-000000002D02}9644384C:\Windows\system32\svchost.exe{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x8000000000000000129139Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.911{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129138Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.895{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129137Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.879{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9B02-000000002D02}7072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129136Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.875{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129135Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.875{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129134Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.875{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129133Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.875{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129132Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.873{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366d9|c:\windows\system32\rpcss.dll+3bec2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129131Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.874{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129130Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.871{7942A313-ECE5-61FC-9A02-000000002D02}7180C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{7942A313-E059-61FC-0C00-000000002D02}836C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x8000000000000000129129Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.859{7942A313-E059-61FC-0C00-000000002D02}836500C:\Windows\system32\svchost.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129128Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.842{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1600-000000002D02}1264C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129127Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.826{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129126Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.826{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129125Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.826{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129124Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9902-000000002D02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129123Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129122Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129121Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129120Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129119Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9902-000000002D02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129118Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECE5-61FC-9902-000000002D02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129117Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.758{7942A313-ECE5-61FC-9902-000000002D02}1636C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129116Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.557{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129115Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.557{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129114Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.557{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129113Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.526{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129112Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.526{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129111Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.526{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129110Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.494{7942A313-ECE1-61FC-8D02-000000002D02}8032ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129109Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.479{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBE3F62C157AC01C94E7FD068FC5501C,SHA256=336B05042E2BF53356319332467F7A63CAFBE96DB162FA54C5E69F316E49C282,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129108Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.479{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=EB4C7EC5C7DB6A41E6CFF4F2CE0AE6A8,SHA256=70F5483438D5AC91DB1D5259C5827C4EB36589BD4368F8BDC9B98411AD7409AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129107Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.476{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61EDB04DD6C498E5E08D3DBFE9739BEB,SHA256=19DC01F3372B00451DC74B5031ACCB94E66D994578F8A45FF0598B133E5039AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129106Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.457{7942A313-ECE2-61FC-8E02-000000002D02}6976ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=33BFF218FD8B5198ABB691ED6128FCB4,SHA256=DB507A0506A3CCE391792299D76C60A29BC0BFFB46A9736BD0589266B5AC66D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129105Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.326{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129104Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.295{7942A313-ECE3-61FC-9202-000000002D02}6300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\art-out.txtMD5=13015015DD907D28996153DF14881252,SHA256=4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129103Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.279{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129102Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.279{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129101Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.279{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129100Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.274{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\cache2\doomed\2103MD5=6890FBEE1DC35E8FA866055C44DB06FE,SHA256=554618E86B1F928E2D1FE0066F1EDEAF5D43B19AAB2CE6074441FBA4A0156A9C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000129099Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:49.241{7942A313-ECE5-61FC-9802-000000002D02}7496C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\Print\Monitors\ART\Atomic Red TeamC:\Path\AtomicRedTeam.dll 10341000x8000000000000000129098Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9802-000000002D02}7496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129097Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129096Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129095Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9802-000000002D02}7496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129094Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129093Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129092Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.226{7942A313-ECE5-61FC-9702-000000002D02}73487360C:\Windows\system32\cmd.exe{7942A313-ECE5-61FC-9802-000000002D02}7496C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129091Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.230{7942A313-ECE5-61FC-9802-000000002D02}7496C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "C:\Path\AtomicRedTeam.dll" /t REG_SZ C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "C:\Path\AtomicRedTeam.dll" /t REG_SZ" 10341000x8000000000000000129090Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-ECE3-61FC-9202-000000002D02}63006696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FFF9921C423) 10341000x8000000000000000129089Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-ECE1-61FC-8B02-000000002D02}75167984C:\Windows\system32\conhost.exe{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129088Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129087Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129086Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129085Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129084Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129083Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-ECE3-61FC-9202-000000002D02}63006696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+25c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+25c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+25c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+25c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1572995(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15727fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15fb92d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156aa82(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b304(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15a2cff(wow64) 154100x8000000000000000129082Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.214{7942A313-ECE5-61FC-9702-000000002D02}7348C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "reg add "hklm\system\currentcontrolset\control\print\monitors\ART" /v "Atomic Red Team" /d "C:\Path\AtomicRedTeam.dll" /t REG_SZ" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7942A313-ECE1-61FC-34D7-210000000000}0x21d7340HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbwBuAGYAaQByAG0AOgAkAGYAYQBsAHMAZQAgAC0AVABpAG0AZQBvAHUAdABTAGUAYwBvAG4AZABzACAAMwAwADAAIAAtAEUAeABlAGMAdQB0AGkAbwBuAEwAbwBnAFAAYQB0AGgAIABDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAYQB0AGMAXwBlAHgAZQBjAHUAdABpAG8AbgAuAGMAcwB2AA== 11241100x8000000000000000129081Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2022-02-04 09:07:49.210 11241100x8000000000000000129080Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.210{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2022-02-04 09:07:49.210 10341000x8000000000000000129079Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.170{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129078Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.168{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129077Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.166{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE3-61FC-9202-000000002D02}6300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129076Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.118{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78556F223BD01D9D227C8CF10DDE242E,SHA256=A58E538C7F72500E44A561AE44D72758387E5A0738D2D4C785F7F4D0D5D5C437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129075Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.062{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\glean\db\data.safe.binMD5=82577612222D5965777117B6A0037045,SHA256=A71436A4DB92F2E159B9BBFCEA66E12D5C981D02253D80D1DC58247D66750BCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129217Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.997{7942A313-ECE6-61FC-A002-000000002D02}76767672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000129216Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.165{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49420-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000129215Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.165{7942A313-E06B-61FC-2300-000000002D02}2744C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49420-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 10341000x8000000000000000129214Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.852{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129213Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.852{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129212Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.852{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=65B676B273F98D97DF905B7D70C450BA,SHA256=631F47AD89B28339335AB1EB53627D6F9B6E0374D67B6C2CD617D7263F8D7F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129211Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.850{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129210Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.785{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129209Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.585{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECE6-61FC-A002-000000002D02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129208Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE6-61FC-A002-000000002D02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129207Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129206Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129205Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECE6-61FC-A002-000000002D02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129204Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129203Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.569{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129202Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.570{7942A313-ECE6-61FC-A002-000000002D02}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129201Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.485{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE6-61FC-9F02-000000002D02}7608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129200Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129199Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129198Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129197Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129196Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE6-61FC-9F02-000000002D02}7608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129195Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.469{7942A313-ECE6-61FC-9E02-000000002D02}70767612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE6-61FC-9F02-000000002D02}7608C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e20f0024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e153002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1593a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1575aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e156665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1573b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157376b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e157347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15730b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e203b3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1558363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e15578d5(wow64) 154100x8000000000000000129194Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.478{7942A313-ECE6-61FC-9F02-000000002D02}7608C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x8000000000000000129193Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.369{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129192Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.369{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129191Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.353{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=618B4BD1702EE5DF31423068BE5D18A3,SHA256=1F67DE5CB318553E50CA27917FDB1D7BAE1EE0538A414A59FFDB48883305A072,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000129190Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:50.338{7942A313-ECE6-61FC-9E02-000000002D02}7076\PSHost.132884392701959338.7076.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000129189Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.322{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6F770667EAE12EA77E828BBB899D2995,SHA256=F0A2A9C487B580D9E735B7C0B7DA112037AC60162D596D31D7913D177C9BB6FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129188Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.319{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_drsifk22.1bx.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129187Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.300{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_24damumo.owa.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129186Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.285{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_24damumo.owa.ps12022-02-04 09:07:50.285 23542300x8000000000000000129185Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.285{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C71D45F6137DC6C29241F66DA307FF4D,SHA256=E94D79AC18C6E43B7C7B93DA24188AC704E01A46814AE50218D0750BAFE939A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129184Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.285{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAAA169F1DB3380ED2F19D2A71BE4F28,SHA256=BE497F182C884D64A577CED44EDFB2F21B8743196C60E72842A79390078B4D86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129183Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.269{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129182Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.253{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129181Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.238{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129180Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129179Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129178Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129177Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129176Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129175Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129174Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.185{7942A313-ECE5-61FC-9D02-000000002D02}76966720C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e2830099(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e277b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c7009f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cd3b11(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb5b20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb59b1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1ca66d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb3c13(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb37e0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb34f2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1cb312d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e277b45b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c983d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+e1c9794a(wow64) 154100x8000000000000000129173Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.195{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x8000000000000000129172Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.100{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129171Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.100{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129170Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.069{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E97B5E71B02F62D3F7DBDAE238387CB,SHA256=5B5D3ECCA204E1B14EE590ED08EE8EF177E65C399396ACB9B9E01AB271C4490E,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000129169Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:50.053{7942A313-ECE5-61FC-9D02-000000002D02}7696\PSHost.132884392699672230.7696.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000129168Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.037{7942A313-ECE5-61FC-9D02-000000002D02}7696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gukjv1k5.jqc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129167Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.037{7942A313-ECE5-61FC-9D02-000000002D02}7696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_w15hbm0r.55g.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129166Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.022{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_w15hbm0r.55g.ps12022-02-04 09:07:50.022 10341000x8000000000000000129165Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.021{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129164Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.015{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE5-61FC-9D02-000000002D02}7696C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000129281Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:50.135{7942A313-E053-61FC-0100-000000002D02}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse93.104.88.175ppp-93-104-88-175.dynamic.mnet-online.de50468-false10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local5986- 354300x8000000000000000129280Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:49.592{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000129279Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECE7-61FC-A402-000000002D02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129278Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129277Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129276Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129275Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE7-61FC-A402-000000002D02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129274Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129273Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.878{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECE7-61FC-A402-000000002D02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129272Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.879{7942A313-ECE7-61FC-A402-000000002D02}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129271Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.777{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26327|C:\Windows\system32\lsasrv.dll+2746d|C:\Windows\system32\lsasrv.dll+261a5|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129270Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.777{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2be8f|C:\Windows\system32\lsasrv.dll+260ed|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000129269Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-CreatePipe2022-02-04 09:07:51.740{7942A313-ECE7-61FC-A302-000000002D02}7268\PSHost.132884392716251921.7268.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x8000000000000000129268Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.724{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hfrjq1kl.r4a.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129267Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.724{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_43tkxhcg.ubq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129266Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.693{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_43tkxhcg.ubq.ps12022-02-04 09:07:51.693 10341000x8000000000000000129265Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.662{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129264Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.662{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+5460b|C:\Windows\System32\RPCRT4.dll+52cea|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129263Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.660{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129262Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129261Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129260Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129259Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129258Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129257Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129256Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.624{7942A313-ECE6-61FC-9E02-000000002D02}70767520C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFF98EBBF90) 154100x8000000000000000129255Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.625{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAAC:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 23542300x8000000000000000129254Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.508{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=136FBB5050B35CD5922C8C664D5773AD,SHA256=CCE2E58992ED3F08F5C822203B15E15F77A4940E2FC74950CC88B1CCD0962B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129253Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.477{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5B59293727AE0680A740D037BEA80517,SHA256=810DD9C6D2723C1324D1878978933C89FF6DE88453CACB8E00A74C0EAA4D44DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129252Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.477{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815C5A595A53B38CBDF61F43B7A3A3DF,SHA256=72E4C0944C81185E23E47305616EEE7DDE97013A64438154C51636D41E81698E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129251Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.461{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA11432A313E04FFC95AC50603E3DE6,SHA256=EDB29A2912020F37C25DD618CADBE51CF2C096A47E4A5DB5DA8FB29407861BB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129250Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.459{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3DA79AD790F153B333FC0D80B671EBCA,SHA256=3358A7F8E798CA415871221DE9F8F8244549D1144C3238C4D9B98C192A71C3A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129249Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.457{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129248Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.457{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129247Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.439{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129246Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.260{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.cmdlineMD5=7A054F21B0E59FD24596A08F9450C2AD,SHA256=7CC17D67C884265C2B381561F9FB38C0D729CC5134E9BE2C58301D150461D6E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129245Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.260{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.dllMD5=8EC462BBF84FA52933EA88D110B18D09,SHA256=3D36A4A3AB0BF14C7408E4D7CBFC3598F85E30586C7F6D2EAB57FC290823BD85,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000129244Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.260{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.outMD5=9C9B8A7DE5A0415A45CBCBD08E23EC06,SHA256=7B161C2236F7EE12B37828B40ED415150A2D9C920A159D66E331296977B3730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129243Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.260{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.0.csMD5=44815CB25A26138A7FD7D3913389A1EF,SHA256=2FA6F086E1B722523C9234D388346BB140EAA3D3047C298403CEDF7BA59A3B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129242Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.260{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.pdbMD5=99770C5704AC8410675DE396AA65EB64,SHA256=73809540F01F907783CA862531FD6AF0245066D09AC94C80ED2A64064EBD766A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129241Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.239{7942A313-ECE7-61FC-A102-000000002D02}5304ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\CSC2B1FDB7E73C74796BB98B9F74BE58AC.TMPMD5=73748C15E8FA322F05787E62EAAB5F38,SHA256=D11BDA8980E13FE6108B3EB3F9875F4F0F19E92C09EE85DD112518A3B8A68F45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129240Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:51.239{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.dll2022-02-04 09:07:51.139 23542300x8000000000000000129239Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.239{7942A313-ECE7-61FC-A102-000000002D02}5304ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129238Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.239{7942A313-ECE7-61FC-A102-000000002D02}5304ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES2730.tmpMD5=77D6579CD8DF75F71BBBB3B337DBED9B,SHA256=B47F37A3A6B8E207DDD3CBEF4BB0B0A7C36939312D13B1D489F27DA5B2911CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129237Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.239{7942A313-ECE7-61FC-A202-000000002D02}7400ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES2730.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129236Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE7-61FC-A202-000000002D02}7400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129235Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129234Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129233Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129232Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129231Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE7-61FC-A202-000000002D02}7400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129230Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.223{7942A313-ECE7-61FC-A102-000000002D02}53047456C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECE7-61FC-A202-000000002D02}7400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129229Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.231{7942A313-ECE7-61FC-A202-000000002D02}7400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2730.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC2B1FDB7E73C74796BB98B9F74BE58AC.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ndk3fanu.cmdline" 10341000x8000000000000000129228Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.145{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129227Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.143{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129226Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.143{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129225Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.142{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129224Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.142{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129223Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.142{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129222Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.142{7942A313-ECE6-61FC-9E02-000000002D02}70767612C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d88f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d836a|UNKNOWN(00007FFF9912C04F) 154100x8000000000000000129221Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.142{7942A313-ECE7-61FC-A102-000000002D02}5304C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ndk3fanu.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x8000000000000000129220Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.140{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.cmdline2022-02-04 09:07:51.140 11241100x8000000000000000129219Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:51.139{7942A313-ECE6-61FC-9E02-000000002D02}7076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ndk3fanu.dll2022-02-04 09:07:51.139 23542300x8000000000000000129218Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:51.077{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=83E19FDCEA052965332ECF5DB50A4057,SHA256=9280AD0E8AA301BA7E51F5CD3764531BE20CF3F949AB9FE05EF0B67F0A411B45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129334Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.696{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8C5D8B700DFEDA37E20C3461C70F6198,SHA256=7EB509E787DD194E144B3EF65B70722D44B7AD551586A52E415473C62B9DB321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129333Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.680{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0196820A0B0FB00C98C095C1CC5F1ABC,SHA256=B8A8698159843FCFD8E8FDEEB5021F7316F77D3B67CB42CF3F94C7FEB5715CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129332Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.680{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5F4FF486D5BCE8BE149102D82BBEDDAD,SHA256=0378D37AA486AC6CBD0EDF790C32B64E989B4904A5733F3B5397681E67189726,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129331Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.665{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456878D09977AC948256F5B47B728A78,SHA256=A2459DC517BA4D76FDAC37FCC6029C06152E5666882210D18ED56A1CEE9E4903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129330Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.662{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3643B112AA7F9DB942D3ED45C963F13C,SHA256=6AE7467B54AF40F2FA9B6BC4A046F111A88C1EFA97291A77B93CBBDF105A8280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129329Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.659{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3896D28A25BC788BF26157CEDBFA1F8D,SHA256=037AA2B0E30DE254D0BB1E32A0B3929D84B5AD88DD1189FD3678CFCB02FE9086,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129328Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.563{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE8-61FC-A802-000000002D02}6380C:\Windows\system32\whoami.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129327Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.558{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE8-61FC-A802-000000002D02}6380C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129326Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129325Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129324Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129323Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECE8-61FC-A802-000000002D02}6380C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129322Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129321Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-ECE7-61FC-A302-000000002D02}72686840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE8-61FC-A802-000000002D02}6380C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6209b42(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cf9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cbd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154f04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56ad5ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f45a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568017a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568d6bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568d22e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cf9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cbd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154f04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64) 154100x8000000000000000129320Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.554{7942A313-ECE8-61FC-A802-000000002D02}6380C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x8000000000000000129319Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE8-61FC-A702-000000002D02}7284C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129318Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129317Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.541{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129316Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.526{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129315Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.526{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129314Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.526{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE8-61FC-A702-000000002D02}7284C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129313Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.526{7942A313-ECE7-61FC-A302-000000002D02}72686840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE8-61FC-A702-000000002D02}7284C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6209b42(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cf9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cbd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154f04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56ad5ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f45a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568017a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568d6bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568d22e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cf9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cbd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154f04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64) 154100x8000000000000000129312Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.539{7942A313-ECE8-61FC-A702-000000002D02}7284C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA 10341000x8000000000000000129311Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.510{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129310Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.510{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129309Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.357{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.cmdlineMD5=AB9123A82F046BC5B516C73141D705CA,SHA256=30BDB910542CF4F98F559A92B48FA58F78DE70483C458FCF87D8FDF81EC6F8F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129308Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.dllMD5=D13E4B84A0D1A920698AB2F7D04E66B9,SHA256=9AE3B8A64BE551BF91CB645DE94B50A465B6A5A8420EAE65313D7AF857445038,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x8000000000000000129307Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.0.csMD5=10E9ABF0FAE68083CD0F74B09AFF5337,SHA256=D5A895B2362348B06CF4EEC1C6C912F9BA19E882023309237AA479EDC6E9834E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129306Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.outMD5=F00BA3F1AEE36668237979C8AC40136E,SHA256=18F9B76EE3CCA393B2AD5FDAAD31D102C17D3D165FE9DA2E9D6DC40C29071A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129305Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE8-61FC-A502-000000002D02}7320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\CSC33FF08F5B6684D4B94D0F1D8B6321340.TMPMD5=CC468F89B47AA6EBBAABCD1312B10741,SHA256=8737B9745A25340B827DDAA294C5130402D8AB7E1CC83D00F7F49682EB64BA8D,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000129304Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:52.340{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.dll2022-02-04 09:07:52.225 23542300x8000000000000000129303Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE8-61FC-A502-000000002D02}7320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129302Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.340{7942A313-ECE8-61FC-A502-000000002D02}7320ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES2B76.tmpMD5=BDBB05179DB03DF26A3785BE5D4AF119,SHA256=600E92CA06C753BA0DE81B06A6647A4C4047AEE7A31C2E06D0518161A0444AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129301Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-ECE8-61FC-A602-000000002D02}6580ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES2B76.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129300Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE8-61FC-A602-000000002D02}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129299Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE8-61FC-A602-000000002D02}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129298Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129297Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129296Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129295Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129294Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.324{7942A313-ECE8-61FC-A502-000000002D02}73207316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{7942A313-ECE8-61FC-A602-000000002D02}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129293Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.326{7942A313-ECE8-61FC-A602-000000002D02}6580C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES2B76.tmp" "c:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\CSC33FF08F5B6684D4B94D0F1D8B6321340.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.cmdline" 10341000x8000000000000000129292Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.240{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129291Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129290Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129289Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129288Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129287Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129286Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-ECE7-61FC-A302-000000002D02}72686840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+7d828a|UNKNOWN(00007FFF98E43680)|UNKNOWN(00007FFF98E43680)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56b2fd9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cf9b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568cbd6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154f04(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56ad5ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f45a(wow64) 154100x8000000000000000129285Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.238{7942A313-ECE8-61FC-A502-000000002D02}7320C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA 11241100x8000000000000000129284Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.225{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.cmdline2022-02-04 09:07:52.225 11241100x8000000000000000129283Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.localDLL2022-02-04 09:07:52.225{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\rhqtkp4e\rhqtkp4e.dll2022-02-04 09:07:52.225 23542300x8000000000000000129282Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:52.209{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=58EB95E93DC758AEE9EC520079DB2E6F,SHA256=26AAC0791E01D84152B8D9A29CCD139F342D57A41C3AB905F960A72226481E15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129373Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.531{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBB01182ECA452F1444DD4D584F5DD8F,SHA256=ED08AD84628598001519E0B48468A2A7CF116F268D06F5809014A9BB1CE88E39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129372Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.431{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=006E37EF7D508E68B32029B1176282B7,SHA256=8FBBB4ED4626D797DBD1AC0843FF1481E49B72BF200E5B817677E0DAC359D82D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129371Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.368{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129370Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.368{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129369Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.368{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129368Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.352{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1e908|C:\Windows\system32\lsasrv.dll+1db31|C:\Windows\system32\lsasrv.dll+1c350|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129367Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.352{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+10f0e|C:\Windows\system32\lsasrv.dll+1ad36|C:\Windows\system32\lsasrv.dll+1c2df|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129366Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.352{7942A313-E057-61FC-0B00-000000002D02}632832C:\Windows\system32\lsass.exe{7942A313-E05A-61FC-1400-000000002D02}964C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b8ad|C:\Windows\system32\lsasrv.dll+2878b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129365Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.315{7942A313-ECE5-61FC-9D02-000000002D02}7696ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129364Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.315{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=95B7065B3C66F76DD68EB6B76711523A,SHA256=435D1B59C879BAC9C000D776BFEFF3B419D34DD9A165297773D3F0FBAD884FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129363Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.315{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=851396951856A35FE9D0F30AC26D897D,SHA256=50524ED3C19209391DBDA74C1A8D17AD632A9D06229A305A9524BFD48E1662B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129362Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.268{7942A313-ECE6-61FC-9E02-000000002D02}7076ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=33BFF218FD8B5198ABB691ED6128FCB4,SHA256=DB507A0506A3CCE391792299D76C60A29BC0BFFB46A9736BD0589266B5AC66D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129361Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.169{7942A313-ECE7-61FC-A302-000000002D02}7268ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129360Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.146{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129359Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.145{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129358Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.144{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 12241200x8000000000000000129357Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-DeleteKey2022-02-04 09:07:53.135{7942A313-ECE9-61FC-AA02-000000002D02}6444C:\Windows\system32\reg.exeHKLM\System\CurrentControlSet\Control\Print\Monitors\ART 10341000x8000000000000000129356Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.129{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE9-61FC-AA02-000000002D02}6444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129355Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.127{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129354Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.127{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129353Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.127{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ECE9-61FC-AA02-000000002D02}6444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129352Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.127{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129351Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.127{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129350Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.126{7942A313-ECE9-61FC-A902-000000002D02}76446680C:\Windows\system32\cmd.exe{7942A313-ECE9-61FC-AA02-000000002D02}6444C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129349Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.126{7942A313-ECE9-61FC-AA02-000000002D02}6444C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1" 10341000x8000000000000000129348Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.123{7942A313-ECE7-61FC-A302-000000002D02}72686840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\d2fec25a57171882b3ac890135fca30b\System.ni.dll+2c01f5|UNKNOWN(00007FFF991EC5D3) 10341000x8000000000000000129347Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.122{7942A313-ECE5-61FC-9B02-000000002D02}70726936C:\Windows\system32\conhost.exe{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129346Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.116{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129345Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.116{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129344Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.116{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129343Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.116{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129342Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.116{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129341Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.115{7942A313-ECE7-61FC-A302-000000002D02}72686840C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\58da6e5201995d30dd2fe4466745f540\Microsoft.PowerShell.Commands.Management.ni.dll+ffffffff(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568c4b3(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568c31a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b571544b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56845a0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b6154e22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b5649b48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56ad5ba(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f5c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568f45a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b568017a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\af2648a1dba4410c1e087d65f92c9e05\System.Management.Automation.ni.dll+b56bc81d(wow64) 154100x8000000000000000129340Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.115{7942A313-ECE9-61FC-A902-000000002D02}7644C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "reg delete "hklm\system\currentcontrolset\control\print\monitors\ART" /f >nul 2>&1" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{7942A313-ECE5-61FC-0353-220000000000}0x2253030HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAHQAMQA1ADQANwAuADAAMQAwACIAIAAtAEMAbABlAGEAbgB1AHAA 11241100x8000000000000000129339Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.114{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2022-02-04 09:07:49.210 11241100x8000000000000000129338Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.113{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2022-02-04 09:07:49.210 10341000x8000000000000000129337Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.068{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129336Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.066{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129335Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:53.065{7942A313-E057-61FC-0B00-000000002D02}6326932C:\Windows\system32\lsass.exe{7942A313-ECE7-61FC-A302-000000002D02}7268C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+6ea9c|C:\Windows\system32\lsasrv.dll+e6974|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129375Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:54.551{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DF172A7B9716E167438B16C1F4C26C,SHA256=41BD79A470C699E72F9B88DC8F3728FBC47F931354ED6756B318B2B58460DAF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129374Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:54.115{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA22365686FF807F3A728F1A6DBBC2F2,SHA256=D38789B6B71CC57CC07A112B0B1020C3EADE2C33F165A0B045D2250425053C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129376Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:55.568{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=041FD931EC58C503E51944622B2BACDC,SHA256=32BB39D35FF07C60280CFD17050F2270BE47E40C9AB697CCA999A7E6B0C1AFDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129381Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:56.583{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D48253485A0B344C13AA3D34C33553C,SHA256=FDF1309B00CB544FFCFE6D639D07EE9949D711A9023E6EAA384DFD7200EF9218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129380Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:56.449{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129379Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:56.447{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D54CBF06654222D94C130EC9018EC566,SHA256=FE4C0648A06BB18F6FA9AC29F6B18EA75D57C945096DFCAD5AB7AE3C4A991E06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129378Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:54.617{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129377Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:56.017{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\respondent-20220204081438-051MD5=E4EA031637ACBB6F47BD231C2E2E1E96,SHA256=5C6E1C437BF72BDE074F4E51EF9D1792A62DAB991F745007C61C3F065E9CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129383Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:57.598{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCDF8F1BFDEF1C03DAF43BA0C223ECAB,SHA256=FFBFD325CAD971A7240677B4EA7B22C0C665C9A5331A637175AAF21F51BEAB30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129382Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:57.031{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\surveyor-20220204081435-052MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129384Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:58.614{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2F83941B73AD169FB9DB694101DEA45,SHA256=7C40CE2C14A776456E9D976E7EC1DD9F3073A23490390F808E3965B1151C540D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000129395Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000129394Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00314836) 13241300x8000000000000000129393Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8199e-0x52caa65b) 13241300x8000000000000000129392Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d819a6-0xb48f0e5b) 13241300x8000000000000000129391Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d819af-0x1653765b) 13241300x8000000000000000129390Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000129389Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00314836) 13241300x8000000000000000129388Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8199e-0x52caa65b) 13241300x8000000000000000129387Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d819a6-0xb48f0e5b) 13241300x8000000000000000129386Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-SetValue2022-02-04 09:07:59.683{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d819af-0x1653765b) 23542300x8000000000000000129385Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:07:59.614{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD33FEE7E9ABF704E27B028F4F66B81,SHA256=C5053BE9F7836E3B82B4BD0911EE9BCA9334EB9E7937F245412D58084E70AAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129396Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:00.616{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CE29C7A5BF7B675C81DDD26102DAC7,SHA256=AB1B3C7E20B28C98062968A1AEFCBDAAA047C05E63547F2B7ABA767EF6144EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129397Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:01.649{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE13A4B10CD9689BDCE62CE50F1D8C5E,SHA256=30AA91176054EAEE4D3A8E3B61464D1E24C10CF5AED434EA1FA36D72017CD948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129399Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:02.683{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0312C061664A4E79E73EB814DCC83F,SHA256=87F3C8B0F01AA965EF5B52AA4EC180FA41E37317D64608AD99FD2EE2732C0B92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129398Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:00.450{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129400Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:03.698{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D89AD4323B0FEA7848700A9BA633653,SHA256=44594C1095FCAC8535AC39720162B3E4E5FEA24C373169F64AEE701FA9447498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129401Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:04.713{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1526AEACE00F554BBDE44E3E838A80FC,SHA256=106749A25B389321F53E8FE1F3D41E000ED837C33F054204283A77B257CBEB5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129419Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECF5-61FC-AC02-000000002D02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129418Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129417Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129416Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECF5-61FC-AC02-000000002D02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129415Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129414Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129413Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.976{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECF5-61FC-AC02-000000002D02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129412Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.977{7942A313-ECF5-61FC-AC02-000000002D02}7512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129411Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.821{7942A313-ECF5-61FC-AB02-000000002D02}70647864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129410Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.744{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBA3E8148B5599739136BDDE4ECEFF46,SHA256=9B161179E1D68F79BA56DFB14D2133F13E6D038EE7341F425BEF5407C6D6DF35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129409Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECF5-61FC-AB02-000000002D02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129408Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129407Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129406Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129405Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129404Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E057-61FC-0500-000000002D02}416532C:\Windows\system32\csrss.exe{7942A313-ECF5-61FC-AB02-000000002D02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129403Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECF5-61FC-AB02-000000002D02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129402Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.369{7942A313-ECF5-61FC-AB02-000000002D02}7064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129432Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.773{7942A313-ECF6-61FC-AD02-000000002D02}71447100C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129431Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.752{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694E8FC30417107E39D7E26E3F22DF41,SHA256=98F72E64D907D09AB8FF1E63BBB0FB111754E8F4C722800A7F50B9E731A4A940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129430Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECF6-61FC-AD02-000000002D02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129429Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129428Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129427Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129426Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129425Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECF6-61FC-AD02-000000002D02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129424Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.489{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECF6-61FC-AD02-000000002D02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129423Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.490{7942A313-ECF6-61FC-AD02-000000002D02}7144C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129422Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.405{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF22436D944B6F11BCCF21B0349A8AE,SHA256=5E5739F48A6FE0E32E696378F952244B6454816C93FF7704C8FAF053EF13564F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129421Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.405{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1279C611ADBB05E71D9F19CFEF5529CE,SHA256=C06D57950D269A5E8AAD6DD9277C46C808EF534885255BEC7B6E6BAC11C740C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129420Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:06.255{7942A313-ECF5-61FC-AC02-000000002D02}75126988C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129443Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.753{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E87CAFD047A86E493233F7C1B9FF9A0,SHA256=094A7EB563EAE8357F2B74EF90AED5BCDCA33DE499C5E4389C1CF1E0FFD12087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129442Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.491{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CF22436D944B6F11BCCF21B0349A8AE,SHA256=5E5739F48A6FE0E32E696378F952244B6454816C93FF7704C8FAF053EF13564F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129441Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:05.518{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000129440Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.172{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ECF7-61FC-AE02-000000002D02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129439Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.170{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129438Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.170{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129437Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.169{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129436Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.169{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129435Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.169{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ECF7-61FC-AE02-000000002D02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129434Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.168{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ECF7-61FC-AE02-000000002D02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129433Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:07.168{7942A313-ECF7-61FC-AE02-000000002D02}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129444Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:08.790{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=910197AAF16B33CD174FF574D1E0E522,SHA256=2A5436C7A51909D3DE813BB8E7D1F46DF5EDF749521704CDF8AD5B32A62E6855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129445Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:09.821{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1C3498F89ADEFAA59E1B737261BDA3,SHA256=986D0ACBC295B35067CC2D671E253F9C0659BFC6EE217B8639DDECDF033B2B92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129446Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:10.851{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFBA5B8B43EEA81F8D4D0BBC1BD06AD6,SHA256=81F3B5BD05386E1141B451FBFEE773D37D8261F80FC51BA8CFDA49FE9C0E6EC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129447Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:11.854{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D245FA694FD903FCD8D1DDA46F13EB4B,SHA256=6DB15F0B11108C14E65EB82E5CDC04AE9A80178C2360451D5AE84A08D0C63740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129448Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:12.872{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A520C08332C35A626C0CB4DFB729924,SHA256=D707049D51D3351AD02D3BE9C200389210D3B629A417990526A726584F25B6AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129450Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:13.890{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7169C0D5D87A84B119D6BDE8A888D50F,SHA256=2143986B8FA786C34803501E93CECEC347843E0CC4AA9BB1CC733B8D9159E05E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129449Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:11.519{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49425-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129451Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:14.890{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0741BA877A0537E8C561F981D4A85687,SHA256=65D037412626B8B760B47568A9D625068967A1684D8582D3208FE53F791B45DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129452Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:15.906{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF3D3C0616C3E12F589F45A3BFE0506,SHA256=A44B3F439D3D4BABA793267BEB22B5A91334C3B819EC8D20729F071F63156969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129453Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:16.922{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3CD6908F2541E71437A6B6095D4B96,SHA256=39900E6D4BCB1DD42A51DD9BED07B3A0C8FE5C7DB50B43776431997F4D4E1DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129454Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:17.952{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA77A38BF800EFB9DC529ADE74E928B,SHA256=658C3363DF49DB4D8409E5879A47ABC96BC518B78D668CDDA723AA6384105509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129457Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:18.973{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF8BBDE3D0A6E1331890F925CBA9358B,SHA256=45A6BB0ADB48606E2F796DC0A83F3A604420F6D44F23C02E29D5F007CEA71DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129456Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:18.752{7942A313-E05A-61FC-1000-000000002D02}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9F3C1CE55EAB6A33E1691EF29A28358F,SHA256=86CA0232FCBB43C01ED9FF93B19F2305B6F861A6D2CB6BB603D5626CCB8E0DC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129455Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:17.520{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129458Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:19.989{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C43D74D28A43F52A4165F5CD888797DF,SHA256=9C4ED2C0EF337414E832309D5558B4EEE08F576C74B27885B5BEEB56BF6EB234,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129459Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:20.991{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A7C080BF728842A54D99A15BEEB348D,SHA256=50A02CB85C3DFBD0D58F3FFC9E7E7B898CCF39D327DDCA4A9F69549C27AB3809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129460Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:22.022{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745D679810312A105C49590201AF4BF4,SHA256=CDABF315FD9E2AB0836A91C0F69629643F1C3265B967944F5A9039A58652DA21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129461Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:23.056{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4ADD5AF18ED9A4CDC71488501F71145,SHA256=9A7291DF4604C10908AA41A431AAA7D56F2EEF2DC234B5FC4157C212C4A5A442,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129463Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:23.454{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129462Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:24.090{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D95E0C30B2938C95851887C75E252BA7,SHA256=40928DFCC2CA4BBE05C95661808C113B429E55D54BC8834499D0D1263B9BB20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129464Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:25.105{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73D7F594D6C13FED4188A7352FBE4AB9,SHA256=34AC77F5C0CAEF16212BB88CBBAE8C2808A1E11DBC1756D167CE6898B2482660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129465Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:26.105{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1592C1132553A68E27DC37B6A2FE95E6,SHA256=981CE2F574DB3B583A6B12A6D235394F22262417BC890F87E8F45DB165A40E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129466Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:27.105{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4D5F3C70FCC914BDED6B46D7410A96,SHA256=5770436EB4FCF2ACD99F163E3B231BF931E24808129DB0F85BD9D6C14AF602A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129467Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:28.121{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87EE156BB5E685B2E6D8411B490BBEF5,SHA256=FC54573440B5784A62B27BB34613842B0EAC085353A8A41E245B29F8F7BA16E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129469Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:28.469{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129468Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:29.121{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F9CAB67C497084AFA03DE66DD56E599,SHA256=013682EABE185E4000887ED4DAF7DAAEAF9F1F0B013E349887584E6EFDD4B362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129470Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:30.152{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B959AE62B50D68EA86805AD4B770CE1B,SHA256=591835F28FEB771B3399158574564BFFCC8A225B78F7CB24CF0589E6D82853D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129471Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:31.170{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E464855C0F706169E3307FC98439F141,SHA256=15C50D6D1E0B71D678D9BB219D4D07306153975F272F729F6500160DDD49F0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129472Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:32.189{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3E90A844BAB1E3A09E7771C2F61BB4B,SHA256=CC9E7FE5A88A78EFDA5CAE53A5E1B2D97B32490A9A1792D04C5E574689522543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129473Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:33.204{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03020AEE7FD7AC1897435E1838A595C2,SHA256=00B1B734F0016F0A5F78B664F63AA957D6FDCA5F73BA340468B7954F5F6D2CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129474Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:34.221{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1281384517A4B0D579740E383DAE49,SHA256=A849656CC72FE078087465246AF3AE1C248FB89AAC8EA020BD8B9B3A767B42A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129476Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:34.414{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129475Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:35.222{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E83E460D853868D2861FFCC87D8BCC,SHA256=B2DC295DD247CDA26C4CBE35FDA7EBCDFEEDF9040411E441ECCD9A278B874451,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129478Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:36.839{7942A313-E06B-61FC-2C00-000000002D02}2984NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=5C26B02D61C9CA11B62F56EF590BE2EB,SHA256=776E31D58FF579022BC8020FE9592BEE5F30D4F4E31843A0B71240D3BA40BA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129477Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:36.237{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3300226EFF513DDD471D1FA3007DF3F9,SHA256=DF26AFB5B546BE61EA131E6E7BD27F8E58A8317CD3054A141104FD546355CA3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129479Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:37.238{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B85CF369BB306C7079ADC8E658DB2E18,SHA256=53A33714819698E3A0DA9A59334FB924BFE756120A543949A5C1D1201692C2E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129481Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:37.171{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000129480Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:38.254{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE9FCB2A735D56D6C703856FDE76769,SHA256=B7215812B22AE1B794F41579BC1C58FE38E456A821266C5CB6B7344C2DB07F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129482Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:39.273{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57831D49CCAB04A14B4BF04A50BBB91,SHA256=111ED3D88ED02414397C0B6347B2D2888AAA8C1A627296C8F3CD76A779F220C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129483Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:40.291{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53DABBF142CD5BDA7444725206E27039,SHA256=70A727FD1CCED2E024BB250E7192867003C55F01EA5EF5906DF62F7217E19BC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129485Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:40.373{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129484Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:41.292{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55F60AE0DB8C7E08C1A9C759D1AFDC87,SHA256=1F57649EDFE54E38C09FBB307D166E34E456FCF73068674E7BAAF69EC24B2368,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129486Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:42.304{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8AF35F3F4E40B4079378B6CEB855F3,SHA256=3627DD2353F781A03824B6DF79F60DB1D08759E8A6C759D5DE6855F5C3F8C43D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129488Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:43.703{7942A313-E82C-61FC-9101-000000002D02}4948ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\q2h6ebb1.default-release\datareporting\aborted-session-pingMD5=BD8AADD74CA5E15C77566407417293D8,SHA256=F87A888B335D28359C40D2BA14295840B5122A5BA6028F07DA1674AD2746EFB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129487Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:43.319{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF05AFD8FBFE797553652E6EA78036CB,SHA256=C6215823E3657DC6AA37495A3FAEA234CBD12B0E30C3CF14F139968148F2E3E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129489Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:44.334{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03CE6C4008DFD92B0F8F812170B57BCF,SHA256=79C976CE4CB6FE3A345377E7544AA988C3C7069B270A5EB6EFB3C35D7E7440E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129490Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:45.349{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BA74822653865AA6AACBFEBF2AEBAE6,SHA256=8444ED557F5FB40FEFB3098AF2DC5AAC36E0E46C70AEAC91E8326BFA64775091,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129492Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:45.381{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129491Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:46.365{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11FFD6820DC91E06503B9804B9B1F41C,SHA256=E3D00FD7ED77A11E0C3E31A49A0E62FD0CED8231E6269A78E69B3D4B88845441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129493Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:47.383{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5633640A495FBAFED3EC4A64E327627,SHA256=51BD5CBE1EBB498C9B95496F865B008D26F86C4756A972F4978BF03AEF8C9CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129494Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:48.400{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3543F843CA4FA06D22AC47C5CE23DFF5,SHA256=0D7C625A3CB6536CBF7B26DE47664E6880373B09DCC5D697400F46D1627B664C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129505Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.831{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A04C28CA10C01698EFBEBEBBEBF4D0,SHA256=7643148D7DBB6697B6F30579E9D53DE6D4E233065C394DEDF769F3F200036765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129504Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.831{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=721BA3F605CDF955A3550B3AF72E51B2,SHA256=B0744EAFC11AF1A83C01C1A1F05FD16F69DA202AC6FCEB75CAE388B95B0A2E51,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129503Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.784{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED21-61FC-AF02-000000002D02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129502Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.781{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129501Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.780{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129500Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.780{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129499Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.780{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129498Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.780{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED21-61FC-AF02-000000002D02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129497Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.779{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED21-61FC-AF02-000000002D02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129496Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.779{7942A313-ED21-61FC-AF02-000000002D02}7336C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129495Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.400{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D2E96A87B2D88B0893A7D0C9228D90E,SHA256=BF1F9A35E759C3D29CDB29095A3CD084F0C25564BE4B159B13978E70CDB193BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129517Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.731{7942A313-ED22-61FC-B002-000000002D02}55367408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129516Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED22-61FC-B002-000000002D02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129515Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129514Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129513Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129512Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129511Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED22-61FC-B002-000000002D02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129510Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.515{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED22-61FC-B002-000000002D02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129509Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.517{7942A313-ED22-61FC-B002-000000002D02}5536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129508Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:50.415{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10641B637C7267B1A93264385C888C7A,SHA256=743198DA435A04445BFF3E66B488A332C339C6B570BD80B45188FE4DB7342F08,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129507Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.178{7942A313-E057-61FC-0B00-000000002D02}632C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49433-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 354300x8000000000000000129506Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:49.178{7942A313-E06B-61FC-2300-000000002D02}2744C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local49433-true0:0:0:0:0:0:0:1win-dc-tcontreras-attack-range-492.attackrange.local389ldap 10341000x8000000000000000129527Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.884{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED23-61FC-B102-000000002D02}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129526Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.883{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129525Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.883{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129524Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.883{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129523Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.883{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129522Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.883{7942A313-E057-61FC-0500-000000002D02}416432C:\Windows\system32\csrss.exe{7942A313-ED23-61FC-B102-000000002D02}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129521Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.882{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED23-61FC-B102-000000002D02}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129520Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.882{7942A313-ED23-61FC-B102-000000002D02}7308C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129519Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.546{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69A04C28CA10C01698EFBEBEBBEBF4D0,SHA256=7643148D7DBB6697B6F30579E9D53DE6D4E233065C394DEDF769F3F200036765,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129518Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.446{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC8829A5AFEC35B9150DB80C33A88B15,SHA256=578230252217D8D16FEA8899ABB16BB19F9B2BDE389FAF69424FE6A0E0B25D36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129530Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:52.903{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B037A01396BB1BB76742AEDC13A69443,SHA256=A900902E6500C467D5EB461BD90E00F22F5A7E0BE5DF9EC3E81B5E252576452E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129529Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:52.451{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBD92404093712DC6D7839CB8D7C620,SHA256=81FDA139A4CCC91D8233E2050DFB16E90C8DAE8D3C68EE85CE2A42939A3A8C21,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129528Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:51.425{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129531Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:53.465{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CA06582D149F458398167FFD1B8C09,SHA256=83B64F8F29C502B28E5C4F69C53284C155741B43CA90A4CA391275FA2CEBC801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129563Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.885{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2700-000000002D02}2836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129562Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.884{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2700-000000002D02}2836C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129561Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.884{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129560Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.884{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129559Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.884{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D2-61FC-3701-000000002D02}4512C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129558Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.884{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129557Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129556Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129555Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129554Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129553Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129552Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129551Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.883{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129550Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129549Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129548Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129547Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129546Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129545Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129544Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129543Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.882{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129542Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129541Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D0-61FC-3501-000000002D02}4168C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129540Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129539Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129538Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129537Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129536Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129535Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129534Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129533Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.881{7942A313-E05A-61FC-0D00-000000002D02}892912C:\Windows\system32\svchost.exe{7942A313-E5D1-61FC-3601-000000002D02}4400C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14412|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129532Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:54.465{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78488BEBDEA0CA7B1DC9A3E08EFE41F0,SHA256=D7CBC9CFD03AE3EE2B712F0088AB2E9638401FC26646715F45CE80873C3D2E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129564Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:55.804{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3B0F675553A5DBD2B6FE6DD751EBD1,SHA256=D9D3C689178F557654AEDEBD348CD113EFA946D78BE70CFB30D994C2DD9F3AB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129565Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:56.819{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34F7BE1C6EF1F09E00C64B8D7B9A0901,SHA256=DA9253F272FDD3B6390D7A28F87EA8EE70523F52A3316D93608A46296EAB303D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129567Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:57.851{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712DBDABF41ECE47DEECC7E03750CC90,SHA256=C552499E0844274CA95E42C7EF63EF2EE4F1092858A4C395D6AC1BA57D2F3B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129566Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:57.569{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\respondent-20220204081438-052MD5=E4EA031637ACBB6F47BD231C2E2E1E96,SHA256=5C6E1C437BF72BDE074F4E51EF9D1792A62DAB991F745007C61C3F065E9CCEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129570Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:58.866{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6FA736E80C819D8CCF28FA0C471176E,SHA256=5B50785FD7B760ECD215F0E6A2F7C35912E78E614FEC24F925D026DA32F0EA12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129569Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:58.571{7942A313-E06B-61FC-2400-000000002D02}2760NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0db9be1e42b7ba0dd\channels\health\surveyor-20220204081435-053MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129568Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:56.497{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129571Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:08:59.869{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B64D6B86F1807406C275687EC25B69FD,SHA256=B9F75112104A63506D068BEF9BA9154DD18ED77DF9FB046F143A058E82E778AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129572Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:00.869{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FEF4DB3981716D5DD40FA748828BF4D,SHA256=17630DB8FCA0E37D5E35C7AD17931BF0BBB4985F4AA6B6A87E3022FCB209FA15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129573Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:01.906{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=682C7BE7BD073035FE347043A588B9E7,SHA256=09EFBBD516DB7370DB57DFFFD0906F57F51044D196DFC703EFEE34B0334743E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129575Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:02.908{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA495974156C1B3C898B2EF727BF5FA,SHA256=A01139FA3C14DF74D47AE5582734AA78EC7B22759E43A0A638088D58AD8CF61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129574Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:01.531{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129576Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:03.939{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8651C1D13436118DF4E672915CBEE9,SHA256=372C5068957CD672920A84D9998209C8AF6748A7D22C25AB86B7C3B3FDD4135C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129577Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:04.940{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF476A88DED410DD8512903854852271,SHA256=90EB3F3D7239B785179AC779E0AC3E629BB62F35E2552B148FA96047F6BA63A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129595Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.963{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DF9F7B54A2235AECA965811824FAF7,SHA256=DC6D0D5794C06BCEC6D9E4B3F8C830D0A98EB6F01308F8060AFD6A71539962E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129594Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED31-61FC-B302-000000002D02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129593Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129592Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129591Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129590Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129589Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED31-61FC-B302-000000002D02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129588Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.932{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED31-61FC-B302-000000002D02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129587Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.933{7942A313-ED31-61FC-B302-000000002D02}7504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000129586Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.507{7942A313-ED31-61FC-B202-000000002D02}75647852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129585Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED31-61FC-B202-000000002D02}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129584Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129583Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129582Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129581Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129580Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED31-61FC-B202-000000002D02}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129579Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.257{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED31-61FC-B202-000000002D02}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129578Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:05.258{7942A313-ED31-61FC-B202-000000002D02}7564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129608Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.983{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACC524A963F4E6F3AA09DB2C5083A79F,SHA256=E394D04A4B6089E1D9536350D56714F8C1BAA26A283E75F29C460139459244A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129607Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.899{7942A313-ED32-61FC-B402-000000002D02}64527720C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129606Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED32-61FC-B402-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129605Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129604Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129603Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129602Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129601Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED32-61FC-B402-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129600Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED32-61FC-B402-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129599Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.597{7942A313-ED32-61FC-B402-000000002D02}6452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129598Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.266{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71769DA38B3A47614865C247A9D90EA,SHA256=F28CCA93FE8C80CB0708CC4E9C55EF7E07015F61D0427B0DFE6A1E2651C02B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129597Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.266{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B740DCD01FAA2655F246719039521050,SHA256=A0172C1950F36F6C2A6CFB6737EC35F8803C1D0F23986D6B76BFF44820CC740B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129596Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:06.249{7942A313-ED31-61FC-B302-000000002D02}75047500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000129617Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.603{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B71769DA38B3A47614865C247A9D90EA,SHA256=F28CCA93FE8C80CB0708CC4E9C55EF7E07015F61D0427B0DFE6A1E2651C02B11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000129616Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.105{7942A313-E06C-61FC-3300-000000002D02}32243244C:\Windows\system32\conhost.exe{7942A313-ED33-61FC-B502-000000002D02}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129615Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.102{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129614Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.102{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129613Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.101{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129612Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.101{7942A313-E059-61FC-0C00-000000002D02}8363708C:\Windows\system32\svchost.exe{7942A313-E06B-61FC-2800-000000002D02}2844C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a563|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+52d3c|C:\Windows\System32\RPCRT4.dll+358e4|C:\Windows\System32\RPCRT4.dll+347fd|C:\Windows\System32\RPCRT4.dll+350ab|C:\Windows\System32\RPCRT4.dll+20e9c|C:\Windows\System32\RPCRT4.dll+2131c|C:\Windows\System32\RPCRT4.dll+1049c|C:\Windows\System32\RPCRT4.dll+11cfb|C:\Windows\System32\RPCRT4.dll+1a5ca|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000129611Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.101{7942A313-E057-61FC-0500-000000002D02}416408C:\Windows\system32\csrss.exe{7942A313-ED33-61FC-B502-000000002D02}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000129610Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.100{7942A313-E06B-61FC-2C00-000000002D02}29844028C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{7942A313-ED33-61FC-B502-000000002D02}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000129609Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.100{7942A313-ED33-61FC-B502-000000002D02}7464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{7942A313-E058-61FC-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{7942A313-E06B-61FC-2C00-000000002D02}2984C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000129618Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.986{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19D6C20362D509651479ECFD672D7CEE,SHA256=49F6D788710DCCCA1D2A24AD1AF7F91FB6DE46FBC4BA2F5DAED96A3E910F9C57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129620Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:07.482{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129619Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:09.024{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB928B90BB8846A4270472EB53D8D20,SHA256=BAF2F80DB0B0CC0E40BD81BFC72824BD087EFD94E04301B5F0597DBBD9ADAA51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129621Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:10.026{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864D35F72E30F72FAF7CE53C4FCC67D4,SHA256=738E09D459A15EEBA0C499CCADBE780ADC1258B798518F57351E72A6F072A163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129622Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:11.028{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D16923B91A1069EE7209BAC0E4A8A9D,SHA256=2AF53944AF755BC5A91CD119733B44D2F0D2D3052807F332BE15196F7F655B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129623Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:12.043{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548577B22336F161B3F4EEAC85FD34B5,SHA256=39A399178310923213300A6E8AA57A764E662877391A17FA1AF6EC6AC75312CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129624Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:13.044{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27297401FB82A24C78A8C537607E64B5,SHA256=1D0C7E4DE5A5B4DE64E42484D789B9C5ED51D19DEA0AA23BDAD9C88C0D45CB32,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129626Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:13.405{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49438-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129625Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:14.044{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34213DCE965701BCD8A4BAFD834A66C3,SHA256=E4748195D78D5E5379D87873CE6128D82D51C7BF0B29C29750FB10D25585D0C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129627Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:15.045{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209E23DBEDE2D14AD2496D6607D84955,SHA256=4D2D6D7C96ABE13F9B11D1EFB7EE4F984F03FF59C2EE084331EDA58F439F6E03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129628Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:16.060{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E708A479B2B8BE28CD68F94BF708207,SHA256=46641BC06999182D869D1F5854509B95146B5AD1563BCBA14C9B5961EBBBD7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129629Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:17.075{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6CBACF6CBA21ADF0E6B8A334ED206F,SHA256=B8C8BF988EB76FE10437D425FD89EB8569076C821DADDE3ED38C0BA8FF4DC0DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129631Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:18.760{7942A313-E05A-61FC-1000-000000002D02}380NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F43760EEC8F6F72B339CED3A6277788C,SHA256=12E578C445AE1C48C61A0B529F46CB229F7118BAE6F24E2618BEDFCF0A77264E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129630Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:18.076{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44F1C2031383179C90FFCF887B80BDB4,SHA256=810ABADB9433D31875803CF5DC4B05154654AC4322C7F9884F44142E0C34E789,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129633Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:18.574{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129632Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:19.091{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3235186218D26AB65C3AD8384FC34EE0,SHA256=D5D1F88BD601DC276F4F269D2FB25F28E897A70FAF79D0E961F0EA34EA8C327A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129634Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:20.110{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84302775C12B6E1597FEEA89F3FC8297,SHA256=925BCACECBF63831262FD93FE152723EB96C004D9D7D68F4C8807DC89EAB27E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129635Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:21.128{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB532F7F7247981133D6EDEA60F9ED4D,SHA256=5404483890C0BBADBFD7EA3E576C3F0DC111A3D87DA05D48CC1864E45B1161A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129636Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:22.158{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=771CA375CB0F0176D89790B54371A502,SHA256=A50248833A304C55D60ADACDB3604CE294B8EC0F6869B8B7CA8BFCF4D3E57BF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129637Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:23.173{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB75A7AC3F9CED40F92101CEEEF9E2B7,SHA256=5FE745279FB5EBAAC71ECD248FBB920E4AF706A496E3C127839FAB2E230005B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129639Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:23.593{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129638Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:24.188{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E26773C9ABA0C93140169E7F89EF4F1E,SHA256=A5FA36A8E0BC4C105BF4C91FD4664EDEBF4F967E7707F7FED664770AF9473CF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129640Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:25.207{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B613EA67F0DDE7380D2FCFAF9B705E9D,SHA256=B6EF506319BC4C7631ADF360BE2D66EFAB9AF8F69099EC602BB93B2B000FA8C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129641Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:26.224{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D277505654BD161AC9CABA97C790AFCB,SHA256=C541BB2AACBFAC50768E0C45DFADAB9A3089004DACE77572C346501D87D7C7E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129642Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:27.254{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6B303C353422BA0734B89726EDC8BE,SHA256=F7771E443220322496DF79A3C383096D4FA23535661C171C0B4A1D5884300695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129643Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:28.285{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF9716AC0B40F127105B5407982E2072,SHA256=183BE1A0B9FFB147BFDA1B954EAD05A0824393A6F5FF38A1198FC91A42572DF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129644Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:29.303{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B3706C610EB6CD41B35F75DD7C948D,SHA256=6253CFFED2A72611B81CB0CFB7F650B02F5A8C130BCAFC2A5ECF9F1949648DB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129645Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:30.322{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B2A29169DEC6222CBF2C154774E25E,SHA256=AA560A66C50C4D616ADD9427017ABBF03756B1AF25DE02ECD2252F6BF55DAE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129647Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:31.352{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48311448E353F378C3A31210A3B1A799,SHA256=6B74EDF4EC38013FD464266FC6DF753DF5E5D6B226D70716930DD25F97EC3FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000129646Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:29.585{7942A313-E078-61FC-6A00-000000002D02}3528C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-tcontreras-attack-range-492.attackrange.local49441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000129648Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:32.383{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB85F169180214305EE9C2DE772A2CB6,SHA256=062BED996E34914DB9193479087A6FD201A63213739801E01BD5F139DD3AAC9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129649Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:33.383{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEA24BDB3099562EB7869D0634CE811F,SHA256=6669A2F08C11716FB1188132BC3441BF773B790068937664A6A213B05FBB70F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000129650Microsoft-Windows-Sysmon/Operationalwin-dc-tcontreras-attack-range-492.attackrange.local-2022-02-04 09:09:34.384{7942A313-E081-61FC-7300-000000002D02}3612NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3A7ADD46D9F30323C584C24DE15461B,SHA256=EA1153B6A92249E5397DC0B0AE29871EB1AEFFD40A7DF943DC6CE6675DAAE0A7,IMPHASH=00000000000000000000000000000000falsetrue